Add username to ASA Security negotiation log (#26975)

* Add username to ASA Security negotiation log I added the username user.name field to ASA Security negotiation log line. * adding support for both formats * adding changelog entry * updating geo fields in expected output files * reverse formatting * reverting to older version of file * reverting formatting again * regenrate golden files again * remove formatting, ready for review * fixing missing message due to no newline * fix dissect pattern to fit correctly Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
elastic · Oct 11, 2021 · df6fde2 · df6fde2
1 parent fbca813
commit df6fde2
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 7 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -315,6 +315,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro
 - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826]
 - Resolve issue with @timestamp for defender_atp. {pull}28272[28272]
 - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
+- Add support for username in cisco asa security negotiation logs {pull}26975[26975]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log
@@ -83,6 +83,7 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept
 Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
+Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000
 Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound"
 Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in"
 Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944

diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
@@ -4268,6 +4268,57 @@
             "forwarded"
         ]
     },
+    {
+        "cisco.asa.message_id": "713049",
+        "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
+        "event.code": 713049,
+        "event.dataset": "cisco.asa",
+        "event.kind": "event",
+        "event.module": "cisco",
+        "event.original": "%ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000",
+        "event.severity": 5,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "fileset.name": "asa",
+        "host.hostname": "dev01",
+        "input.type": "log",
+        "log.level": "notification",
+        "log.offset": 12205,
+        "observer.hostname": "dev01",
+        "observer.product": "asa",
+        "observer.type": "firewall",
+        "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
+        "related.ip": [
+            "1.2.3.4"
+        ],
+        "related.user": [
+            "test_user"
+        ],
+        "service.type": "cisco",
+        "source.address": "1.2.3.4",
+        "source.geo.city_name": "Moscow",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "RU",
+        "source.geo.country_name": "Russia",
+        "source.geo.location.lat": 55.7527,
+        "source.geo.location.lon": 37.6172,
+        "source.geo.region_iso_code": "RU-MOW",
+        "source.geo.region_name": "Moscow",
+        "source.ip": "1.2.3.4",
+        "tags": [
+            "cisco-asa",
+            "forwarded"
+        ],
+        "user.name": "test_user"
+    },
     {
         "cisco.asa.destination_interface": "inside",
         "cisco.asa.message_id": "106023",
@@ -4295,7 +4346,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12205,
+        "log.offset": 12414,
         "network.community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=",
         "network.iana_number": 47,
         "observer.egress.interface.name": "inside",
@@ -4346,7 +4397,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12341,
+        "log.offset": 12550,
         "network.community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=",
         "network.iana_number": 1,
         "network.transport": "icmp",
@@ -4421,7 +4472,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12518,
+        "log.offset": 12727,
         "network.bytes": 4671944,
         "network.community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=",
         "network.iana_number": 17,
@@ -4482,7 +4533,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12677,
+        "log.offset": 12886,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4523,7 +4574,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12907,
+        "log.offset": 13116,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4564,7 +4615,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 13142,
+        "log.offset": 13351,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4605,7 +4656,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 13384,
+        "log.offset": 13593,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",

diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -651,6 +651,13 @@ processors:
       field: "message"
       description: "713049"
       pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+      ignore_failure: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '713049'"
+      field: "message"
+      description: "713049"
+      pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+      ignore_failure: true
   - grok:
       if: "ctx._temp_.cisco.message_id == '716002'"
       field: "message"