[Filebeat] Enable dynamic inputs (TCP) for Cisco syslog modules

[legoguy1000]

What does this PR do?

Enables the Cisco filesets to use TCP or UDP for syslog input.

Why is it important?

TCP is more reliable than UDP and cisco devices can use both and shouldn't be limited to UDP.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• tested cisco asa with both udp & tcp using https://github.com/leehinman/spigot to generate traffic

How to test this PR locally

cd beats/x-pack/filebeat
TESTING_FILEBEAT_MODULES=cisco mage -v pythonIntegTest

Related issues

• Closes [Filebeat][Cisco] Allow for TCP syslog input #26118
• Closes Update Filebeat's Cisco > ASA config to reflect UDP #28821

Use cases

Screenshots

Logs

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-12-03T16:26:08.259+0000

• Duration: 95 min 41 sec

• Commit: ae3eb78

Test stats 🧪

Test	Results
Failed	0
Passed	2413
Skipped	152
Total	2565

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[legoguy1000]

@andrewkroh could u take a look at this when you get a chance. I think this is the best way to enable backwards compatibility with the existing syslog inputs but if there are other thoughts, let me know.

[legoguy1000]

I also think IDK if i need additional sample data to account for the syslog vs tcp/udp inputs??

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 26118-cisco-tcp upstream/26118-cisco-tcp
git merge upstream/master
git push upstream 26118-cisco-tcp

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 26118-cisco-tcp upstream/26118-cisco-tcp
git merge upstream/master
git push upstream 26118-cisco-tcp

[marc-gr]

/test

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 26118-cisco-tcp upstream/26118-cisco-tcp
git merge upstream/master
git push upstream 26118-cisco-tcp

[mergify]

This pull request does not have a backport label. Could you fix it @legoguy1000? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[leehinman]

/test

[legoguy1000]

@leehinman Anything more need to be done with this PR?

[leehinman]

@leehinman Anything more need to be done with this PR?

nope. Thanks for the reminder.

[andrewkroh]

This causes an issue for users with existing ASA and FTD configs that upgrade. The existing config contains var.input: syslog, but this fails under the new templates that are specific to the udp and tcp input types. I think to keep compatibility that the Go template needs to retain an {{ if eq .input "syslog" }}.

# Example of an existing config.
- module: cisco
  asa:
    enabled: true
    var.input: syslog
    var.syslog_host: 0.0.0.0
    var.syslog_port: 5144
    var.log_level: 7
  ftd:
    enabled: true
    var.input: syslog
    var.syslog_host: 0.0.0.0
    var.syslog_port: 5145
    var.log_level: 7

[legoguy1000]

If I recall the thought process, since syslog was the default for var.input if they didn't actually set the setting, when they upgraded it would use the new default of udp which is what it was already using. That being said, I see your point.

[andrewkroh]

I've added back an if in #30072.