[Cisco ASA] IPsec Event parsing failing "object mapping for [network.inner] tried to parse field [inner]" #2571

matthiasledergerber · 2022-01-25T14:21:17Z

We are currently using the Cisco ASA Integration to parse syslog messages.

Elastic-Stack: 7.16.2
Beats-Agent: 7.16.2
Cisco ASA Integration: 1.3.2

However, when recieving IPsec messages the Elastic-Agent Publisher fails with the following message:

Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.January,
        25,
        14,
        53,
        25,
        169746713, time.Local), Meta: {
            "raw_index": "logs-cisco_asa.log-default",
            "truncated": false
        }, Fields: {
            "agent": {
                "ephemeral_id": "e22b72b3-538e-4a1b-b902-382b184abce1",
                "hostname": "AAR0055N",
                "id": "2c334692-54c8-462f-be0c-227c8038dec2",
                "name": "HOSTNAME",
                "type": "filebeat",
                "version": "7.16.2"
            },
            "data_stream": {
                "dataset": "cisco_asa.log",
                "namespace": "default",
                "type": "logs"
            },
            "ecs": {
                "version": "1.12.0"
            },
            "elastic_agent": {
                "id": "2c334692-54c8-462f-be0c-227c8038dec2",
                "snapshot": false,
                "version": "7.16.2"
            },
            "event": {
                "dataset": "cisco_asa.log",
                "timezone": "+01:00"
            },
            "input": {
                "type": "udp"
            },
            "log": {
                "source": {
                    "address": "10.10.10.10:514"
                }
            },
            "message": "\u003c166\u003eJan 25 2022 13:53:25 HOSTNAME : %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD565F968) between 1.1.1.1 and 2.2.2.2 (user= DefaultL2LGroup) has been created.\n",
            "tags": [
                "preserve_original_event",
                "cisco-asa",
                "forwarded"
            ]
        }, Private:interface {}(nil), TimeSeries: false
    }, Flags: 0x1, Cache:publisher.EventCache{m:common.MapStr(nil)
    }
} (status=400): {
    "type": "mapper_parsing_exception",
    "reason": "object mapping for [network.inner] tried to parse field [inner] as object, but found a concrete value"
}, dropping event!

Everything else parses fine. The Events have all the same structure described in the message field

The text was updated successfully, but these errors were encountered:

elasticmachine · 2022-01-25T16:53:03Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

leehinman · 2022-03-09T16:32:16Z

The fix for this is in beats elastic/beats#26879

And issue to track backporting changes is here #2116

andrewkroh added bug Something isn't working, use only for issues Integration:Cisco labels Jan 25, 2022

leehinman self-assigned this Mar 8, 2022

leehinman mentioned this issue Mar 11, 2022

[cisco_asa] sync with beats cisco module #2820

Merged

4 tasks

leehinman closed this as completed in #2820 Mar 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Cisco ASA] IPsec Event parsing failing "object mapping for [network.inner] tried to parse field [inner]" #2571

[Cisco ASA] IPsec Event parsing failing "object mapping for [network.inner] tried to parse field [inner]" #2571

matthiasledergerber commented Jan 25, 2022

elasticmachine commented Jan 25, 2022

leehinman commented Mar 9, 2022

[Cisco ASA] IPsec Event parsing failing "object mapping for [network.inner] tried to parse field [inner]" #2571

[Cisco ASA] IPsec Event parsing failing "object mapping for [network.inner] tried to parse field [inner]" #2571

Comments

matthiasledergerber commented Jan 25, 2022

elasticmachine commented Jan 25, 2022

leehinman commented Mar 9, 2022