[cisco_ftd] Add grok pattern for GRE tunnel teardown (302018).

[haetamoudi]

Executive summary

Added a new grok pattern to handle GRE tunnel teardown messages (message ID 302018) that lack source ports. The pattern correctly extracts connection ID, interface names, destination IP and port, duration, and byte counts. A corresponding test case validates the pattern successfully parses the message and enriches it with proper ECS fields including geo-IP data. This resolves the [MISSING_CASE] error where this message format had no matching grok pattern.

Proposed commit message

[cisco_ftd] Add grok pattern for GRE tunnel teardown (302018).

Root cause

The parse_teardown_message grok processor (tag parse_teardown_message) contains seven patterns that all require a source port in the format from interface:ip/port. GRE tunneling messages omit the source port entirely (from interface:ip), causing all patterns to fail. This is a protocol-level difference: GRE is tunnel-based and does not use per-flow port numbers like TCP/UDP/ICMP.

Approach

Add a new grok pattern to the parse_teardown_message processor to handle GRE (Generalized Routing Encapsulation) tunnel protocol teardown messages (message ID 302018). GRE is a layer-3 tunneling protocol without per-flow ports, so its teardown format differs from TCP/UDP/ICMP: source lacks a port number (from interface:ip instead of from interface:ip/port). The new pattern will extract connection ID, source/destination interfaces and addresses, duration, and bytes. Add test fixture with the sanitized GRE teardown event to validate the fix.

Implementation

1. Add a new grok pattern to packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml at line 1294 (after the 6th pattern, before the ICMP pattern) to match GRE teardown format: ^Teardown (?:Probe )?%{NOTSPACE:network.transport} connection %{NOTSPACE:_temp_.cisco.connection_id} from %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address} to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} duration %{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}(?:\s+%{NUMBER}\s+%{NUMBER})?
2. Add test fixture entry to packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log with the sanitized GRE teardown event: <190>2026-06-22T05:48:03Z host-1.example.local : %FTD-6-302018: Teardown GRE connection 309288012 from example-network:198.51.100.10 to example-vlan:203.0.113.20/38912 duration 0:02:29 bytes 154 0 8
3. Generate expected output in packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json by running elastic-package test pipeline to validate the new pattern extracts all fields correctly (connection_id, source/destination interface/address/port, duration, bytes).
4. Update packages/cisco_ftd/changelog.yml with a bugfix entry: 'Add grok pattern to handle GRE tunnel teardown messages (302018) that lack source port'.
5. Update packages/cisco_ftd/manifest.yml version bump (patch version increment per semantic versioning).

Pipeline changes

• Add new grok pattern to parse_teardown_message processor to match GRE tunnel protocol teardown messages where source address omits port. Pattern: ^Teardown (?:Probe )?%{NOTSPACE:network.transport} connection %{NOTSPACE:_temp_.cisco.connection_id} from %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address} to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} duration %{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}(?:\s+%{NUMBER}\s+%{NUMBER})? - Captures GRE-specific format where source lacks port (GRE is tunnel-based), plus optional trailing byte counters.

Field / mapping changes

—

Sanitized error message

Processor 'grok' with tag 'parse_teardown_message' in pipeline 'logs-cisco_ftd.log-default' failed with message '[on_failure_message]'

Sanitized log (event_sanitized excerpt)

<190>2026-06-22T05:48:03Z host-1.example.local : %FTD-6-302018: Teardown GRE connection 309288012 from example-network:198.51.100.10 to example-vlan:203.0.113.20/38912 duration 0:02:29 bytes 154 0 8

Reviewer concerns

The new pattern intentionally omits source.port capture since GRE messages don't use ports, which differs from other teardown patterns and may create field inconsistency in queries. The optional trailing bytes pattern (?:\s+%{NUMBER}\s+%{NUMBER})? discards the final two numeric values (0 8 in the test case) without capturing them—these may represent protocol-level metadata worth preserving.

Self-review findings

—

Risk and classification

• Plan risk level: low
• Tags: pipeline, processors, ingest, test-fixture
• Impact: low

Links

• Issue: (no issue number)
• Issue title: cisco_ftd.log [MISSING_CASE]: Processor 'grok' with tag 'parse_teardown_message' in pipeline 'logs-cis…
• Pipeline case: 8ce565325b948149

[github-actions]

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

Changelog link mismatch — expected https://github.com/elastic/integrations/pull/19830 in the following file(s):

• packages/cisco_ftd/changelog.yml

Tip

If expected, add the changelog-link-check:skip label to skip this check. Or, if an issue link was intended, use .../issues/<n> instead.

View Buildkite build
@haetamoudi

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 919b2e4

Failed CI Steps

• 📜 Check changelog PR links

History

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package cisco_ftd 👍(0) 💚(0) 💔(1)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
log	860.59	722.02	-138.57 (-16.1%)	💔

To see the full report comment with /test benchmark fullreport