From df6fde2525c6502f50dad162c43e9ec815bd54f2 Mon Sep 17 00:00:00 2001 From: LaZyDK Date: Mon, 11 Oct 2021 21:22:13 +0200 Subject: [PATCH] Add username to ASA Security negotiation log (#26975) * Add username to ASA Security negotiation log I added the username user.name field to ASA Security negotiation log line. * adding support for both formats * adding changelog entry * updating geo fields in expected output files * reverse formatting * reverting to older version of file * reverting formatting again * regenrate golden files again * remove formatting, ready for review * fixing missing message due to no newline * fix dissect pattern to fit correctly Co-authored-by: Marius Iversen --- CHANGELOG.next.asciidoc | 1 + .../cisco/asa/test/additional_messages.log | 1 + .../additional_messages.log-expected.json | 65 +++++++++++++++++-- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 7 ++ 4 files changed, 67 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index a0c9695321a..f246a50163f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -315,6 +315,7 @@ for a few releases. Please use other tools provided by Elastic to fetch data fro - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826] - Resolve issue with @timestamp for defender_atp. {pull}28272[28272] - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191] +- Add support for username in cisco asa security negotiation logs {pull}26975[26975] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index e1666f72432..75271900c57 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -83,6 +83,7 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000 Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound" Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in" Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8866c2baa1b..6505354dafc 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -4268,6 +4268,57 @@ "forwarded" ] }, + { + "cisco.asa.message_id": "713049", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713049, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 12205, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "1.2.3.4" + ], + "related.user": [ + "test_user" + ], + "service.type": "cisco", + "source.address": "1.2.3.4", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "test_user" + }, { "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", @@ -4295,7 +4346,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 12205, + "log.offset": 12414, "network.community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=", "network.iana_number": 47, "observer.egress.interface.name": "inside", @@ -4346,7 +4397,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 12341, + "log.offset": 12550, "network.community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=", "network.iana_number": 1, "network.transport": "icmp", @@ -4421,7 +4472,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 12518, + "log.offset": 12727, "network.bytes": 4671944, "network.community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=", "network.iana_number": 17, @@ -4482,7 +4533,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 12677, + "log.offset": 12886, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -4523,7 +4574,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 12907, + "log.offset": 13116, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -4564,7 +4615,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 13142, + "log.offset": 13351, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", @@ -4605,7 +4656,7 @@ "host.hostname": "dev01", "input.type": "log", "log.level": "warning", - "log.offset": 13384, + "log.offset": 13593, "observer.hostname": "dev01", "observer.product": "asa", "observer.type": "firewall", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index ee379156ce6..ee612bc54f8 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -651,6 +651,13 @@ processors: field: "message" description: "713049" pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true - grok: if: "ctx._temp_.cisco.message_id == '716002'" field: "message"