[Cisco Nexus] Improve timezone and timestamp handling #14504
Conversation
P1llus
added
enhancement
…g even more formats on other date processors
|
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
🚀 Benchmarks reportTo see the full report comment with |
|
💚 Build Succeeded
History
|
andrewkroh
added
the
documentation
There was a problem hiding this comment.
This looks pretty good, but I had a couple questions.
@taylor-swanson can you take a look at this as well, please?
| changes: | ||
| - description: Fix bug that did not recognize timestamps to use tz_map override. | ||
| type: bugfix | ||
| link: https://github.com/elastic/integrations/pull/14458 |
There was a problem hiding this comment.
PR link needs to be updated
| @@ -3,126 +3,101 @@ description: Pipeline for processing Cisco Nexus logs. | |||
| processors: | |||
| - set: | |||
| field: ecs.version | |||
| value: '8.17.0' | |||
| tag: 'set_ecs_version' | |||
| value: "8.17.0" | |||
There was a problem hiding this comment.
Curious why you're updating the single quotes to double quotes? I do prefer the doubles, but curious if there's some yaml-specific reason to do this.
| }, | ||
| "cisco_nexus": { | ||
| "log": { | ||
| "description": "EARL 0 NF ASIC: Uncorrectable Parity error in Netflow Table.", | ||
| "facility": "EARL", |
There was a problem hiding this comment.
Is there a reason why all of these fields are being deleted? Is this part of the processing changes in default.yml, or something else?
| required: false | ||
| show_user: false | ||
| description: >- | ||
| A collectiom of timezones found in Cisco Nexus logs (as defined in each `tz_short`), and the replacement value (as defined in each `tz_long`) which should be the full proper IANA Timezone format. This is used to override vendor provided timezone formats that is not supported by Elasticsearch [Date Processors](https://www.elastic.co/docs/reference/enrich-processor/date-processor#date-processor-timezones) |
There was a problem hiding this comment.
Could we also include offsets as well?
This is a snippet of the description from cisco_asa:
proper IANA time zone or offset (for example, Australia/Sydney or +10:00).
| "@timestamp": "2025-05-03T13:20:48.739+10:00", | ||
| "cisco_nexus": { | ||
| "log": { | ||
| "description": "last message repeated 5 time", | ||
| "ip_address": "10.100.0.34", | ||
| "priority_number": 187, | ||
| "sequence_number": 6031594, | ||
| "syslog_time": "2025-05-03T13:20:50.000Z", | ||
| "time": "2025-05-03T03:20:48.739Z", | ||
| "timezone": "AEST" | ||
| "time": "2025-05-03T13:20:48.739+10:00", | ||
| "timezone": "Australia/Sydney" |
There was a problem hiding this comment.
syslog_time is UTC but has the same time (ignoring the zone) as the time and @timestamp. This is incorrect.
The syslog_time can't be interpreted as UTC, since that timestamp is zone-less. Absent of zone info, either tz_offset needs to be used, or in this case, the zone provided by the more precise timestamp.
As of right now, syslog_time and @timestamp are 10 hours off, when they are only 2 seconds off from each other.
What we could do is set a "global" time zone (event.timezone) after we've done the necessary processing the of time zone and use that for all subsequent date processing.
| "threshold_value": "-1.0 dBm", | ||
| "time": "2025-06-14T01:34:35.000Z", | ||
| "timezone": "AEST", | ||
| "time": "2025-06-14T11:34:35.000Z", |
There was a problem hiding this comment.
Incorrect time zone
|
@P1llus do you have a timeline as to when you'll address @taylor-swanson 's comments? It'd be nice to get this resolved to help the SDH customer. |
Proposed commit message
The PR introduces tz_map as an option in the configuration of the integration, similar to tz_map this is specifically for usecases where the vendor provides a timezone format in their logs which is not supported by Java, and is the only way for a user to map these unsupported formats to a proper IANA format on ingest time.
While implementing this there was also several unecessary additions between syslog and vendor timestamps, so I changed that up a bit and updated the system and pipeline tests. Older documents now get missing ECS fields and the dates are parsed correctly also on older logs (which is why older pipeline test output have changes in them).
Checklist
changelog.ymlfile.