[Filebeat][WIP] Cisco ASA module

This is is a draft. Documentation and dashboards are missing. Closes elastic#9200
adriansr · Mar 26, 2019 · 6523ff9 · 6523ff9
1 parent b3af1f6
commit 6523ff9
Show file tree

Hide file tree

Showing 23 changed files with 6,727 additions and 0 deletions.
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -15,6 +15,7 @@ grouped in the following categories:
 * <<exported-fields-apache>>
 * <<exported-fields-auditd>>
 * <<exported-fields-beat>>
+* <<exported-fields-cisco>>
 * <<exported-fields-cloud>>
 * <<exported-fields-coredns>>
 * <<exported-fields-docker-processor>>
@@ -1046,6 +1047,47 @@ type: alias
 
 alias to: agent.hostname
 
+--
+
+[[exported-fields-cisco]]
+== Cisco fields fields
+
+Module for handling Cisco network device logs.
+
+
+
+[float]
+== cisco fields
+
+Fields from Cisco logs.
+
+
+
+[float]
+== asa fields
+
+Fields for Cisco ASA Firewall.
+
+
+
+*`cisco.asa.message_id`*::
++
+--
+type: long
+
+The Cisco ASA message identifier.
+
+
+--
+
+*`cisco.asa.suffix`*::
++
+--
+type: keyword
+
+Suffix after %ASA identifier. Usually `session`.
+
+
 --
 
 [[exported-fields-cloud]]

diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc
@@ -0,0 +1,73 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-cisco]]
+[role="xpack"]
+
+:modulename: cisco
+:has-dashboards: true
+
+== Cisco module
+
+This is a module for Cisco network device's logs. Currently supports the `asa`
+fileset for Cisco-ASA firewalls logs.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default input to `syslog` and binds to `localhost` port `9001`
+  (but don’t worry, you can override the defaults).
+
+* Uses ingest node to parse and process the log lines, shaping the data into
+  a structure suitable for visualizing in Kibana.
+
+* Deploys dashboards for visualizing the log data.
+
+[float]
+=== Compatibility
+
+This module requires the {elasticsearch-plugins}/ingest-geoip.html[ingest-geoip]
+Elasticsearch plugin.
+TODO: What about user-agent plugin? If needed, update other modules too.
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards ---TODO--- :
+
+The module is by default configured to run via syslog on port 9011. However
+it can also be configured to read from a file path. See the following example.
+
+["source","yaml",subs="attributes"]
+-----
+- module: cisco
+  asa:
+    enabled: true
+    var.paths: ["/var/log/cisco-asa.log"]
+    var.input: "file"
+-----
+
+:fileset_ex: asa
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `asa` fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+:modulename!:
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-cisco,exported fields>> section.
+
diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc
@@ -6,6 +6,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-apache>>
   * <<filebeat-module-auditd>>
   * <<filebeat-module-coredns>>
+  * <<filebeat-module-cisco>>
   * <<filebeat-module-elasticsearch>>
   * <<filebeat-module-haproxy>>
   * <<filebeat-module-icinga>>
@@ -35,6 +36,7 @@ include::modules-overview.asciidoc[]
 include::modules/apache.asciidoc[]
 include::modules/auditd.asciidoc[]
 include::modules/coredns.asciidoc[]
+include::modules/cisco.asciidoc[]
 include::modules/elasticsearch.asciidoc[]
 include::modules/haproxy.asciidoc[]
 include::modules/icinga.asciidoc[]

diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -82,6 +82,23 @@ filebeat.modules:
     # can be added under this section.
     #input:
 
+#----------------------------- Cisco Fields Module -----------------------------
+- module: cisco
+  asa:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input:
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Set the log level from 1 (alerts only) to 7 (include all messages).
+    # Messages with a log level higher than the specified will be dropped.
+    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
+    #var.log_level: 7
+
 #------------------------------- Coredns Module -------------------------------
 - module: coredns
   # Fileset for native deployment

diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go
diff --git a/x-pack/filebeat/module/cisco/README.md b/x-pack/filebeat/module/cisco/README.md
@@ -0,0 +1,6 @@
+# Cisco module
+
+## Caveats
+
+* Module is to be considered _beta_.
+
diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml
@@ -0,0 +1,15 @@
+- module: cisco
+  asa:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input:
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Set the log level from 1 (alerts only) to 7 (include all messages).
+    # Messages with a log level higher than the specified will be dropped.
+    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
+    #var.log_level: 7
diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
@@ -0,0 +1,60 @@
+[role="xpack"]
+
+:modulename: cisco
+:has-dashboards: true
+
+== Cisco module
+
+This is a module for Cisco network device's logs. Currently supports the `asa`
+fileset for Cisco-ASA firewalls logs.
+
+When you run the module, it performs a few tasks under the hood:
+
+* Sets the default input to `syslog` and binds to `localhost` port `9001`
+  (but don’t worry, you can override the defaults).
+
+* Uses ingest node to parse and process the log lines, shaping the data into
+  a structure suitable for visualizing in Kibana.
+
+* Deploys dashboards for visualizing the log data.
+
+[float]
+=== Compatibility
+
+This module requires the {elasticsearch-plugins}/ingest-geoip.html[ingest-geoip]
+Elasticsearch plugin.
+TODO: What about user-agent plugin? If needed, update other modules too.
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards ---TODO--- :
+
+The module is by default configured to run via syslog on port 9011. However
+it can also be configured to read from a file path. See the following example.
+
+["source","yaml",subs="attributes"]
+-----
+- module: cisco
+  asa:
+    enabled: true
+    var.paths: ["/var/log/cisco-asa.log"]
+    var.input: "file"
+-----
+
+:fileset_ex: asa
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `asa` fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+:modulename!:
diff --git a/x-pack/filebeat/module/cisco/_meta/fields.yml b/x-pack/filebeat/module/cisco/_meta/fields.yml
@@ -0,0 +1,10 @@
+- key: cisco
+  title: Cisco fields
+  description: >
+    Module for handling Cisco network device logs.
+  fields:
+    - name: cisco
+      type: group
+      description: >
+        Fields from Cisco logs.
+      fields: