Skip to content

Commit

Permalink
x-pack/filebeat/module/cisco: loosen time parsing and add group and s…
Browse files Browse the repository at this point in the history 
…ession type capture (elastic#28325)
  • Loading branch information
@efd6
efd6 authored and wiwen committed Nov 1, 2021
1 parent c3f72e4 commit 09f1403
Show file tree
Hide file tree
Showing 8 changed files with 222 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
- Resolve issue with @timestamp for defender_atp. {pull}28272[28272]
- Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
- Add support for username in cisco asa security negotiation logs {pull}26975[26975]
- Relax time parsing and capture group and session type in Cisco ASA module {issue}24710[24710] {pull}28325[28325]

*Heartbeat*

Expand Down
10 changes: 10 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21573,6 +21573,16 @@ type: keyword
SA type (remote access or L2L)


type: keyword

--

*`cisco.asa.session_type`*::
+
--
Session type (for example, IPsec or UDP)


type: keyword

--
Expand Down
6 changes: 6 additions & 0 deletions x-pack/filebeat/module/cisco/asa/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,3 +199,9 @@
default_field: false
description: >
SA type (remote access or L2L)
- name: session_type
type: keyword
default_field: false
description: >
Session type (for example, IPsec or UDP)
7 changes: 5 additions & 2 deletions x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3235,6 +3235,7 @@
},
{
"cisco.asa.message_id": "113019",
"cisco.asa.session_type": "LAN-to-LAN",
"destination.address": "91.240.17.178",
"destination.as.number": 201126,
"destination.as.organization.name": "CDW Ltd",
Expand All @@ -3254,13 +3255,14 @@
],
"event.code": 113019,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.duration": 1936000000000,
"event.end": "2021-04-27T02:03:03.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested",
"event.reason": "User Requested",
"event.severity": 4,
"event.start": "2021-04-27T04:03:03.000Z",
"event.start": "2021-04-27T03:30:47.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
Expand All @@ -3285,6 +3287,7 @@
],
"service.type": "cisco",
"source.bytes": 297103,
"source.user.group.name": "91.240.17.178",
"source.user.name": "91.240.17.178",
"tags": [
"cisco-asa",
Expand Down
5 changes: 5 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa_missing_groups.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Jun 08 2020 12:59:57: %ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested
Oct 20 2019 15:42:53: %ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout
Oct 20 2019 15:42:54: %ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Paul> IP <83.212.241.149> SVC closing connection: DPD failure.
Aug 6 2020 11:01:37: %ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Brian> IP <234.63.56.32> SVC closing connection: Transport closing.
Aug 6 2020 11:01:38: %ASA-4-722051: Group <GroupPolicy_TheBeatles> User <George> IP <234.24.156.94> IPv4 Address <234.56.47.98> IPv6 address <::> assigned to session
192 changes: 192 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/asa_missing_groups.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
[
{
"cisco.asa.message_id": "113019",
"cisco.asa.session_type": "AnyConnect-Parent",
"destination.address": "234.56.12.87",
"destination.bytes": 0,
"destination.ip": "234.56.12.87",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113019,
"event.dataset": "cisco.asa",
"event.duration": 112000000000,
"event.end": "2020-06-08T12:59:57.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-113019: Group = TheBeatles, Username = Ringo, IP = 234.56.12.87, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:52s, Bytes xmt: 32452, Bytes rcv: 0, Reason: User Requested",
"event.reason": "User Requested",
"event.severity": 4,
"event.start": "2020-06-08T14:58:05.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 0,
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"234.56.12.87"
],
"related.user": [
"Ringo"
],
"service.type": "cisco",
"source.bytes": 32452,
"source.user.group.name": "TheBeatles",
"source.user.name": "Ringo",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113019",
"cisco.asa.session_type": "SSL",
"destination.address": "234.28.45.42",
"destination.bytes": 43252324,
"destination.ip": "234.28.45.42",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113019,
"event.dataset": "cisco.asa",
"event.duration": 8854000000000,
"event.end": "2019-10-20T15:42:53.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-113019: Group = TheBeatles, Username = John, IP = 234.28.45.42, Session disconnected. Session Type: SSL, Duration: 2h:27m:34s, Bytes xmt: 45323434, Bytes rcv: 43252324, Reason: Idle Timeout",
"event.reason": "Idle Timeout",
"event.severity": 4,
"event.start": "2019-10-20T15:15:19.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 226,
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"234.28.45.42"
],
"related.user": [
"John"
],
"service.type": "cisco",
"source.bytes": 45323434,
"source.user.group.name": "TheBeatles",
"source.user.name": "John",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "722037",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 722037,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Paul> IP <83.212.241.149> SVC closing connection: DPD failure.",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 445,
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "722037",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 722037,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-722037: Group <GroupPolicy_TheBeatles> User <Brian> IP <234.63.56.32> SVC closing connection: Transport closing.",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 582,
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.assigned_ip": "234.56.47.98",
"cisco.asa.message_id": "722051",
"cisco.asa.webvpn.group_name": "GroupPolicy_TheBeatles",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 722051,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-722051: Group <GroupPolicy_TheBeatles> User <George> IP <234.24.156.94> IPv4 Address <234.56.47.98> IPv6 address <::> assigned to session",
"event.severity": 4,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"input.type": "log",
"log.level": "warning",
"log.offset": 724,
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.ip": [
"234.24.156.94"
],
"related.user": [
"George"
],
"service.type": "cisco",
"source.address": "234.24.156.94",
"source.ip": "234.24.156.94",
"source.user.name": "George",
"tags": [
"cisco-asa",
"forwarded"
]
}
]
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/fields.go
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,7 @@ processors:
if: "ctx._temp_.cisco.message_id == '113019'"
field: "message"
description: "113019"
pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}"
pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}"
- grok:
if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)'
field: "message"
Expand Down Expand Up @@ -1325,7 +1325,7 @@ processors:
} else if (c == (char)':') {
total = (total + cur) * 60;
cur = 0;
} else {
} else if (c != (char)'h' && c == (char)'m' && c == (char)'s') {
return 0;
}
}
Expand Down

0 comments on commit 09f1403

Please sign in to comment.