Skip to content

[Cisco FTD] Pipeline Error for Event 113019 #9198

New issue
New issue
Closed
#9542
Closed
[Cisco FTD] Pipeline Error for Event 113019#9198
#9542
Assignees
pkoutsovasilis
Labels
Integration:cisco_ftdCisco FTDTeam:Security-Deployment and DevicesDeployment and Devices Security team [elastic/sec-deployment-and-devices]bugSomething isn't working, use only for issues
@agmic

Description

@agmic
agmic
opened on Feb 20, 2024

The Cisco FTD integration raises a pipeline error on events with Message ID 113019.

The code that errors is line 1648 here:
https://github.com/elastic/integrations/blob/fc99cc8fcbe193be818f03f26fc3ef9a3d341562/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml#L1646C1-L1649C100

  - script:
      lang: painless
      source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes"
      if: ctx.source?.bytes != null && ctx.destination?.bytes != null && ctx.network?.bytes == null

The error message is
cannot access method/field [bytes] from a null def reference
and seems to be caused by a script trying to add a value to the network.bytes field (ctx.network.bytes) when the network parent field doesn't exist.

A document that can raise the error is below.

 [
  {
    "_id": "id2",
    "_index": "index",
    "_source": {
      "message": "<164>Feb 19 2024 16:29:38: %FTD-4-113019: Group = VPN, Username = abcd, IP = 11.22.33.44, Session disconnected. Session Type: SSL, Duration: 1h:24m:30s, Bytes xmt: 25292048, Bytes rcv: 12546398, Reason: User Requested"
    }
  }
]

Metadata

Metadata

Assignees

Labels

Integration:cisco_ftdCisco FTDTeam:Security-Deployment and DevicesDeployment and Devices Security team [elastic/sec-deployment-and-devices]bugSomething isn't working, use only for issues

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions