Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[filebeat] improve cisco ASA module message patterns #18410

Closed
immon opened this issue May 11, 2020 · 6 comments · Fixed by #20565
Closed

[filebeat] improve cisco ASA module message patterns #18410

immon opened this issue May 11, 2020 · 6 comments · Fixed by #20565
Labels
enhancement Filebeat Filebeat module

Comments

@immon
Copy link
Contributor

immon commented May 11, 2020

Describe the enhancement:

Filebeat's cisco ASA module does not parse messages of the following types:

unhandled messages ids 
%ASA-7-609002
%ASA-6-302020
%ASA-6-302021
%ASA-6-302013
%ASA-6-302014
%ASA-4-313004
%ASA-6-305011
%ASA-6-305012
%ASA-6-302015
%ASA-6-302016
%ASA-2-106001
%ASA-4-106023
%ASA-1-106021
%ASA-2-106006
%ASA-6-106015
%ASA-6-302023
%ASA-6-302022
%ASA-7-111009
%ASA-6-106100
%ASA-7-609001

We would like to extract at least destination.ip and source.ip fields.

Here are examples of messages not being parsed cisco_syslog.txt
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 11, 2020
@immon
Copy link
Contributor Author

immon commented May 11, 2020

Similar issues #14978 #14034

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 12, 2020
@P1llus
Copy link
Member

P1llus commented Jun 5, 2020

I am taking a look at this one, will update the issue with a status later on.

@Gimlie102
Copy link

Any update on this? These message types are frequently used and should definitely be supported.

@felix-lessoer
Copy link
Contributor

@P1llus Any updates?

@P1llus
Copy link
Member

P1llus commented Aug 11, 2020

I ended up doing a larger rewrite which tok longer time than anticipated. I see now that I should have rather done this change first. Give me a couple of days and I can post an update @felix-lessoer and @Gimlie102

@P1llus P1llus mentioned this issue Aug 11, 2020
Merged
6 tasks
This was referenced Aug 25, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Filebeat Filebeat module
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat][Cisco Module] Adding various smaller hotfixes related to github issues P1llus/beats
6 participants
@andresrc @immon @Gimlie102 @P1llus @elasticmachine @felix-lessoer