Cisco ASA Ingress Fixes #26869
Comments
|
Another one we came across for message-id 304001. The grok pattern doesn't expect there to be a source username in the log message. Example: |
|
Easy to fix. I should have a PR up shortly. |
|
Still going though my grok errors. Ran in to a problem with IPV6 addresses for message-id 106023 Example: This results in the src/dst interface including part of the IPv6 address and the resulting address field only containing the last characters in the IPv6 segment. It also looks like this particular pattern isn't consistent with others in the pipeline. patterns:
- ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{ECSSOURCEIPORHOST}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{ECSDESTIPORHOST}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}"
pattern_definitions:
NOTCOLON: "[^:]*"
ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"A similar error occurs to message-id 302015, 302013 where NOTSPACE is used for dst and src interfaces. |
|
I can take a look at adding this too. |
|
Got another regarding message-id 302016 and potentially others that have a connection duration in the message. TIME is used to grok the duration, however this is inappropriate because the TIME pattern limits hours between 0-23. And since the message is measuring time, there can be situations where hours can be greater than 24 hours. So for connection durations exceeding 23:59:59, matching will fail. I've made a custom pattern: Example: I'm sorry for the spam, I think those are the last of the grok errors. |
|
Adding the last 2 fixes. For additional item's, I'd post it in the PR so the reviewers can see that new stuff may be added. |
|
It looks like theres a list of message ids that determines whether event.outcome is success or failure. With some message ids it may not be so clear, for example 713905 is an informational message which can refer to some successful operations, but I see in test logs it can also refer to a failure to find ipsec tunnel proposals. It might be an improvement that instead of maintaining a list of message ids, that certain words like "discarded, failed, failure." etc could be matched instead? Not sure if that has the potential to get messy. |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
Pinging @elastic/siem (Team:SIEM) |
* #26869: ASA Ingest Pipeline fixes * Update changelog * Update 106023 & 302016 grok patterns * Update addtional grok patterns per comments * Fix per comment * update fields from master * Updated via last comment * Update pipeline * update pipeline to address #27137 (cherry picked from commit 5bc8572)
* #26869: ASA Ingest Pipeline fixes * Update changelog * Update 106023 & 302016 grok patterns * Update addtional grok patterns per comments * Fix per comment * update fields from master * Updated via last comment * Update pipeline * update pipeline to address #27137 (cherry picked from commit 5bc8572) Co-authored-by: Alex Resnick <adr8292@gmail.com>
* elastic#26869: ASA Ingest Pipeline fixes * Update changelog * Update 106023 & 302016 grok patterns * Update addtional grok patterns per comments * Fix per comment * update fields from master * Updated via last comment * Update pipeline * update pipeline to address elastic#27137
A small modification to the grok pattern for message-id 106023 to match the message when an IANA protocol number is used in place of the protocol name. For example, for GRE.
Example:
%ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound"
https://github.com/elastic/beats/blob/v7.13.3/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml#L271
The text was updated successfully, but these errors were encountered: