x-pack/filebeat/module/checkpoint: fix handling of R81 fields

CHANGELOG.next.asciidoc

@@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - cisco/asa: fix handling of user names when there are Security Group Tags present. {issue}32009[32009] {pull}32196[32196]
 - Fix race conditions when reloading input V2 and filestream input {pull}32309[32309]
 - Fix counter for number of events published in `httpjson` input. {pull}31993[31993]
+- Fix handling of Checkpoint event for R81. {issue}32380[32380] {pull}32458[32458]
 
 *Heartbeat*
 

x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml

@@ -434,6 +434,10 @@ processors:
       field: checkpoint.ifdir
       target_field: network.direction
       ignore_missing: true
+  - convert:
+      field: checkpoint.bytes
+      type: long
+      ignore_missing: true
   - rename:
       field: checkpoint.bytes
       target_field: network.bytes
@@ -471,6 +475,10 @@ processors:
         } else if (iana_number == '132') {
             ctx.network.transport = 'sctp';
         }
+  - convert:
+      field: checkpoint.packets
+      type: long
+      ignore_missing: true
   - rename:
       field: checkpoint.packets
       target_field: network.packets
@@ -495,12 +503,12 @@ processors:
       field: checkpoint.ifname
       target_field: observer.ingress.interface.name
       ignore_missing: true
-      if: ctx.network?.direction == 'inbound'
+      if: ctx.observer?.ingress?.interface?.name == null && ctx.network?.direction == 'inbound'
   - rename:
       field: checkpoint.ifname
       target_field: observer.egress.interface.name
       ignore_missing: true
-      if: ctx.network?.direction == 'outbound'
+      if: ctx.observer?.egress?.interface?.name == null && ctx.network?.direction == 'outbound'
   - rename:
       field: checkpoint.type
       target_field: observer.type
@@ -818,16 +826,23 @@ processors:
         )
   - remove:
       field:
+        - checkpoint.ifname
+        - checkpoint.server_outbound_interface
         - checkpoint.client_outbound_packets
         - checkpoint.server_outbound_packets
         - checkpoint.client_outbound_bytes
-        - checkpoint.sent_byte
         - checkpoint.server_outbound_bytes
+        - checkpoint.client_inbound_packets
+        - checkpoint.server_inbound_packets
+        - checkpoint.client_inbound_bytes
+        - checkpoint.server_inbound_bytes
+        - checkpoint.sent_byte
         - checkpoint.received_bytes
         - checkpoint.service
         - checkpoint.xlatedport
         - checkpoint.s_port
         - checkpoint.xlatesport
+        - checkpoint.contextnum
         - checkpoint.sequencenum
         - checkpoint.file_size
         - checkpoint.product
@@ -836,6 +851,11 @@ processors:
         - checkpoint.xlatedst
         - checkpoint.uid
         - checkpoint.time
+        - checkpoint.__nsons
+        - checkpoint.__p_dport
+        - checkpoint.__pos
+        - checkpoint.hll_key
+        - checkpoint.segment_time
         - syslog5424_ts
         - _temp_
       ignore_missing: true

x-pack/filebeat/module/checkpoint/firewall/test/R81.X.log

@@ -0,0 +1 @@
+<134>1 2022-07-16T18:51:20Z fw1 CheckPoint 15190 - [action:"Accept"; contextnum:"1"; flags:"802832"; ifdir:"inbound"; ifname:"eth0.11"; logid:"6"; loguid:"{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}"; origin:"81.2.69.144"; originsicname:"CN=fwcp1,O=Client_Server_1.company.com.bg7ujf"; sequencenum:"8"; time:"1657997480"; version:"5"; __nsons:"0"; __p_dport:"0"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={2A2FD8C0-A383-3DE4-A515-13D2CB28A798};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\]"; __pos:"7"; bytes:"11930"; client_inbound_bytes:"7475"; client_inbound_interface:"eth0.11"; client_inbound_packets:"15"; client_outbound_bytes:"6345"; client_outbound_packets:"22"; context_num:"1"; elapsed:"0"; hll_key:"12347634786232348735"; packets:"37"; product:"Log Update"; segment_time:"1657997472"; server_inbound_bytes:"6345"; server_inbound_packets:"11"; server_outbound_bytes:"7475"; server_outbound_interface:"eth0.10"; server_outbound_packets:"30"; start_time:"1657997472"]

x-pack/filebeat/module/checkpoint/firewall/test/R81.X.log-expected.json

@@ -0,0 +1,43 @@
+[
+    {
+        "@timestamp": "2022-07-16T18:51:20.000Z",
+        "checkpoint.context_num": "1",
+        "checkpoint.elapsed": "0",
+        "checkpoint.logid": "6",
+        "client.bytes": 6345,
+        "client.packets": 22,
+        "destination.bytes": 7475,
+        "destination.packets": 30,
+        "event.action": "Accept",
+        "event.category": [
+            "network"
+        ],
+        "event.dataset": "checkpoint.firewall",
+        "event.id": "{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}",
+        "event.kind": "event",
+        "event.module": "checkpoint",
+        "event.sequence": 8,
+        "event.start": "1657997472",
+        "event.timezone": "-02:00",
+        "fileset.name": "firewall",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.bytes": 11930,
+        "network.direction": "inbound",
+        "network.packets": 37,
+        "observer.ingress.interface.name": "eth0.11",
+        "observer.name": "81.2.69.144",
+        "observer.product": "Log Update",
+        "observer.type": "firewall",
+        "observer.vendor": "Checkpoint",
+        "server.bytes": 7475,
+        "server.packets": 30,
+        "service.type": "checkpoint",
+        "source.bytes": 6345,
+        "source.packets": 22,
+        "tags": [
+            "checkpoint-firewall",
+            "forwarded"
+        ]
+    }
+]