checkpoint: fix handling of R81 fields (#3800)

packages/checkpoint/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.1"
+  changes:
+    - description: Fix handling of R81 fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3800
 - version: "1.7.0"
   changes:
     - description: Add handling of authentication events.

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R81.X.log

@@ -0,0 +1 @@
+<134>1 2022-07-16T18:51:20Z fw1 CheckPoint 15190 - [action:"Accept"; contextnum:"1"; flags:"802832"; ifdir:"inbound"; ifname:"eth0.11"; logid:"6"; loguid:"{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}"; origin:"81.2.69.144"; originsicname:"CN=fwcp1,O=Client_Server_1.company.com.bg7ujf"; sequencenum:"8"; time:"1657997480"; version:"5"; __nsons:"0"; __p_dport:"0"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={2A2FD8C0-A383-3DE4-A515-13D2CB28A798};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\]"; __pos:"7"; bytes:"11930"; client_inbound_bytes:"7475"; client_inbound_interface:"eth0.11"; client_inbound_packets:"15"; client_outbound_bytes:"6345"; client_outbound_packets:"22"; context_num:"1"; elapsed:"0"; hll_key:"12347634786232348735"; packets:"37"; product:"Log Update"; segment_time:"1657997472"; server_inbound_bytes:"6345"; server_inbound_packets:"11"; server_outbound_bytes:"7475"; server_outbound_interface:"eth0.10"; server_outbound_packets:"30"; start_time:"1657997472"]

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-R81.X.log-expected.json

@@ -0,0 +1,53 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2022-07-16T18:51:20.000Z",
+            "checkpoint": {
+                "context_num": "1",
+                "elapsed": "0",
+                "logid": "6"
+            },
+            "destination": {
+                "bytes": 7475,
+                "packets": 30
+            },
+            "ecs": {
+                "version": "8.3.0"
+            },
+            "event": {
+                "action": "Accept",
+                "category": [
+                    "network"
+                ],
+                "id": "{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}",
+                "kind": "event",
+                "original": "\u003c134\u003e1 2022-07-16T18:51:20Z fw1 CheckPoint 15190 - [action:\"Accept\"; contextnum:\"1\"; flags:\"802832\"; ifdir:\"inbound\"; ifname:\"eth0.11\"; logid:\"6\"; loguid:\"{0x8f6ff124,0xbeef4db4,0xbad40b,0xa9525929}\"; origin:\"81.2.69.144\"; originsicname:\"CN=fwcp1,O=Client_Server_1.company.com.bg7ujf\"; sequencenum:\"8\"; time:\"1657997480\"; version:\"5\"; __nsons:\"0\"; __p_dport:\"0\"; __policy_id_tag:\"product=VPN-1 \u0026 FireWall-1[db_tag={2A2FD8C0-A383-3DE4-A515-13D2CB28A798};mgmt=Client_Server_1;date=1657919347;policy_name=Standard\\]\"; __pos:\"7\"; bytes:\"11930\"; client_inbound_bytes:\"7475\"; client_inbound_interface:\"eth0.11\"; client_inbound_packets:\"15\"; client_outbound_bytes:\"6345\"; client_outbound_packets:\"22\"; context_num:\"1\"; elapsed:\"0\"; hll_key:\"12347634786232348735\"; packets:\"37\"; product:\"Log Update\"; segment_time:\"1657997472\"; server_inbound_bytes:\"6345\"; server_inbound_packets:\"11\"; server_outbound_bytes:\"7475\"; server_outbound_interface:\"eth0.10\"; server_outbound_packets:\"30\"; start_time:\"1657997472\"]",
+                "sequence": 8,
+                "start": "1657997472"
+            },
+            "network": {
+                "bytes": 11930,
+                "direction": "inbound",
+                "packets": 37
+            },
+            "observer": {
+                "ingress": {
+                    "interface": {
+                        "name": "eth0.11"
+                    }
+                },
+                "name": "81.2.69.144",
+                "product": "Log Update",
+                "type": "firewall",
+                "vendor": "Checkpoint"
+            },
+            "source": {
+                "bytes": 6345,
+                "packets": 22
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}

packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml

@@ -471,6 +471,10 @@ processors:
       field: checkpoint.ifdir
       target_field: network.direction
       ignore_missing: true
+  - convert:
+      field: checkpoint.bytes
+      type: long
+      ignore_missing: true
   - rename:
       field: checkpoint.bytes
       target_field: network.bytes
@@ -508,6 +512,10 @@ processors:
         } else if (iana_number == '132') {
             ctx.network.transport = 'sctp';
         }
+  - convert:
+      field: checkpoint.packets
+      type: long
+      ignore_missing: true
   - rename:
       field: checkpoint.packets
       target_field: network.packets
@@ -532,12 +540,12 @@ processors:
       field: checkpoint.ifname
       target_field: observer.ingress.interface.name
       ignore_missing: true
-      if: ctx.network?.direction == 'inbound'
+      if: ctx.observer?.ingress?.interface?.name == null && ctx.network?.direction == 'inbound'
   - rename:
       field: checkpoint.ifname
       target_field: observer.egress.interface.name
       ignore_missing: true
-      if: ctx.network?.direction == 'outbound'
+      if: ctx.observer?.egress?.interface?.name == null && ctx.network?.direction == 'outbound'
   - rename:
       field: checkpoint.type
       target_field: observer.type
@@ -843,16 +851,23 @@ processors:
         )
   - remove:
       field:
+        - checkpoint.ifname
+        - checkpoint.server_outbound_interface
         - checkpoint.client_outbound_packets
         - checkpoint.server_outbound_packets
         - checkpoint.client_outbound_bytes
-        - checkpoint.sent_byte
         - checkpoint.server_outbound_bytes
+        - checkpoint.client_inbound_packets
+        - checkpoint.server_inbound_packets
+        - checkpoint.client_inbound_bytes
+        - checkpoint.server_inbound_bytes
+        - checkpoint.sent_byte
         - checkpoint.received_bytes
         - checkpoint.service
         - checkpoint.xlatedport
         - checkpoint.s_port
         - checkpoint.xlatesport
+        - checkpoint.contextnum
         - checkpoint.sequencenum
         - checkpoint.file_size
         - checkpoint.product
@@ -861,6 +876,11 @@ processors:
         - checkpoint.xlatedst
         - checkpoint.uid
         - checkpoint.time
+        - checkpoint.__nsons
+        - checkpoint.__p_dport
+        - checkpoint.__pos
+        - checkpoint.hll_key
+        - checkpoint.segment_time
         - syslog5424_ts
         - _temp_
       ignore_missing: true

packages/checkpoint/manifest.yml

@@ -1,6 +1,6 @@
 name: checkpoint
 title: Check Point
-version: "1.7.0"
+version: "1.7.1"
 release: ga
 description: Collect logs from Check Point with Elastic Agent.
 type: integration