Add username to ASA Security negotiation log

CHANGELOG.next.asciidoc

@@ -310,6 +310,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826]
 - Resolve issue with @timestamp for defender_atp. {pull}28272[28272]
 - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
+- Add support for username in cisco asa security negotiation logs {pull}26975[26975]
 
 *Heartbeat*
 

x-pack/filebeat/module/cisco/asa/test/additional_messages.log

@@ -83,6 +83,7 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept
 Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!
 Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
+Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000
 Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound"
 Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in"
 Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944

x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json

@@ -4268,6 +4268,40 @@
             "forwarded"
         ]
     },
+    {
+        "cisco.asa.message_id": "713049",
+        "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
+        "event.code": 713049,
+        "event.dataset": "cisco.asa",
+        "event.kind": "event",
+        "event.module": "cisco",
+        "event.original": "%ASA-5-713049: Group = 100.60.140.10, Username = test_user, IP = 1.2.3.4, Security negotiation complete for User (test_user) Responder, Inbound SPI = 0x0000000, Outbound SPI = 0x0000000",
+        "event.severity": 5,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "fileset.name": "asa",
+        "host.hostname": "dev01",
+        "input.type": "log",
+        "log.level": "notification",
+        "log.offset": 12205,
+        "observer.hostname": "dev01",
+        "observer.product": "asa",
+        "observer.type": "firewall",
+        "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
+        "service.type": "cisco",
+        "tags": [
+            "cisco-asa",
+            "forwarded"
+        ]
+    },
     {
         "cisco.asa.destination_interface": "inside",
         "cisco.asa.message_id": "106023",
@@ -4295,7 +4329,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12205,
+        "log.offset": 12414,
         "network.community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=",
         "network.iana_number": 47,
         "observer.egress.interface.name": "inside",
@@ -4346,7 +4380,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12341,
+        "log.offset": 12550,
         "network.community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=",
         "network.iana_number": 1,
         "network.transport": "icmp",
@@ -4421,7 +4455,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12518,
+        "log.offset": 12727,
         "network.bytes": 4671944,
         "network.community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=",
         "network.iana_number": 17,
@@ -4482,7 +4516,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12677,
+        "log.offset": 12886,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4523,7 +4557,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 12907,
+        "log.offset": 13116,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4564,7 +4598,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 13142,
+        "log.offset": 13351,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -4605,7 +4639,7 @@
         "host.hostname": "dev01",
         "input.type": "log",
         "log.level": "warning",
-        "log.offset": 13384,
+        "log.offset": 13593,
         "observer.hostname": "dev01",
         "observer.product": "asa",
         "observer.type": "firewall",

x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml

@@ -651,6 +651,13 @@ processors:
       field: "message"
       description: "713049"
       pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+      ignore_failure: true
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '713049'"
+      field: "message"
+      description: "713049"
+      pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+      ignore_failure: true
   - grok:
       if: "ctx._temp_.cisco.message_id == '716002'"
       field: "message"