x-pack/filebeat/module/cisco/{asa,ftd}: allow configuration of time z…

…ones

CHANGELOG.next.asciidoc

@@ -191,6 +191,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Allow users to redact sensitive data from CEL input debug logs. {pull}34302[34302]
 - Added support for HTTP destination override to Google Cloud Storage input. {pull}34413[34413]
 - Add support for new Rabbitmq timestamp format for logs {pull}34211[34211]
+- Allow user configuration of timezone offset in Cisco ASA and FTD modules. {pull}34436[34436]
 
 *Auditbeat*
 

x-pack/filebeat/filebeat.reference.yml

@@ -720,6 +720,10 @@ filebeat.modules:
     # based on zone egress and ingress
     #var.external_zones: [ "External" ]
 
+    # IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog
+    # timestamps without a time zone.
+    #var.timezone_offset: UTC
+
   ftd:
     enabled: false
 
@@ -753,6 +757,10 @@ filebeat.modules:
     # based on zone egress and ingress
     #var.external_zones: [ "External" ]
 
+    # IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog
+    # timestamps without a time zone.
+    #var.timezone_offset: UTC
+
   ios:
     enabled: false
 

x-pack/filebeat/module/cisco/_meta/config.yml

@@ -32,6 +32,10 @@
     # based on zone egress and ingress
     #var.external_zones: [ "External" ]
 
+    # IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog
+    # timestamps without a time zone.
+    #var.timezone_offset: UTC
+
   ftd:
     enabled: false
 
@@ -65,6 +69,10 @@
     # based on zone egress and ingress
     #var.external_zones: [ "External" ]
 
+    # IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog
+    # timestamps without a time zone.
+    #var.timezone_offset: UTC
+
   ios:
     enabled: false
 

x-pack/filebeat/module/cisco/asa/config/input.yml

@@ -29,6 +29,13 @@ processors:
       fields:
         ecs.version: 1.12.0
 
+{{ if .timezone_offset }}
+  - add_fields:
+      target: _temp_
+      fields:
+        timezone_offset: "{{ .timezone_offset }}"
+{{ end }}
+
 {{ if .external_zones }}
   - add_fields:
       target: _temp_

x-pack/filebeat/module/cisco/asa/manifest.yml

@@ -27,6 +27,7 @@ var:
     default: ASA
   - name: external_zones
   - name: internal_zones
+  - name: timezone_offset
 
 ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml
 input: config/input.yml

x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json

@@ -102,7 +102,7 @@
         ]
     },
     {
-        "@timestamp": "2014-04-15T11:34:34.000-02:00",
+        "@timestamp": "2014-04-15T13:34:34.000Z",
         "cisco.asa.destination_interface": "outside",
         "cisco.asa.message_id": "106100",
         "cisco.asa.rule_name": "acl_in",
@@ -122,7 +122,6 @@
         "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]",
         "event.outcome": "success",
         "event.severity": 5,
-        "event.timezone": "-02:00",
         "event.type": [
             "allowed",
             "connection"
@@ -1964,7 +1963,7 @@
         ]
     },
     {
-        "@timestamp": "2018-04-15T11:34:34.000-02:00",
+        "@timestamp": "2018-04-15T13:34:34.000Z",
         "cisco.asa.destination_interface": "outside",
         "cisco.asa.message_id": "106100",
         "cisco.asa.rule_name": "acl_in",
@@ -1984,7 +1983,6 @@
         "event.original": "%ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]",
         "event.outcome": "success",
         "event.severity": 5,
-        "event.timezone": "-02:00",
         "event.type": [
             "allowed",
             "connection"

x-pack/filebeat/module/cisco/ftd/config/input.yml

@@ -29,6 +29,13 @@ processors:
       fields:
         ecs.version: 1.12.0
 
+{{ if .timezone_offset }}
+  - add_fields:
+      target: _temp_
+      fields:
+        timezone_offset: "{{ .timezone_offset }}"
+{{ end }}
+
 {{ if .external_zones }}
   - add_fields:
       target: _temp_

x-pack/filebeat/module/cisco/ftd/manifest.yml

@@ -27,6 +27,7 @@ var:
     default: FTD
   - name: external_zones
   - name: internal_zones
+  - name: timezone_offset
 
 ingest_pipeline: ../shared/ingest/asa-ftd-pipeline.yml
 input: config/input.yml

x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json

@@ -1,6 +1,6 @@
 [
     {
-        "@timestamp": "2019-08-16T07:54:00.000-02:00",
+        "@timestamp": "2019-08-16T09:54:00.000Z",
         "cisco.ftd.destination_interface": "outside",
         "cisco.ftd.message_id": "430001",
         "cisco.ftd.rule_name": [
@@ -42,7 +42,7 @@
         "event.module": "cisco",
         "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity",
         "event.severity": 0,
-        "event.timezone": "-02:00",
+        "event.timezone": "UTC",
         "event.type": [
             "info"
         ],
@@ -88,7 +88,7 @@
         "user.name": "No Authentication Required"
     },
     {
-        "@timestamp": "2019-08-16T07:57:02.000-02:00",
+        "@timestamp": "2019-08-16T09:57:02.000Z",
         "cisco.ftd.destination_interface": "outside",
         "cisco.ftd.message_id": "430001",
         "cisco.ftd.rule_name": [
@@ -130,7 +130,7 @@
         "event.module": "cisco",
         "event.original": "%FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55868, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: input-zone, EgressZone: output-zone, Priority: 1, GID: 1, SID: 17279, Revision: 12, Message: SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt, Classification: Attempted User Privilege Gain, User: No Authentication Required, Client: Firefox, ApplicationProtocol: HTTP, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity",
         "event.severity": 0,
-        "event.timezone": "-02:00",
+        "event.timezone": "UTC",
         "event.type": [
             "info"
         ],
@@ -176,7 +176,7 @@
         "user.name": "No Authentication Required"
     },
     {
-        "@timestamp": "2019-08-16T08:04:44.000-02:00",
+        "@timestamp": "2019-08-16T10:04:44.000Z",
         "cisco.ftd.destination_interface": "inside",
         "cisco.ftd.message_id": "430001",
         "cisco.ftd.rule_name": [
@@ -216,7 +216,7 @@
         "event.module": "cisco",
         "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 39114, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity",
         "event.severity": 0,
-        "event.timezone": "-02:00",
+        "event.timezone": "UTC",
         "event.type": [
             "info"
         ],
@@ -260,7 +260,7 @@
         "user.name": "No Authentication Required"
     },
     {
-        "@timestamp": "2019-08-16T08:09:47.000-02:00",
+        "@timestamp": "2019-08-16T10:09:47.000Z",
         "cisco.ftd.destination_interface": "inside",
         "cisco.ftd.message_id": "430001",
         "cisco.ftd.rule_name": [
@@ -300,7 +300,7 @@
         "event.module": "cisco",
         "event.original": "%FTD-0-430001: SrcIP: 10.0.100.30, DstIP: 10.0.1.20, SrcPort: 21, DstPort: 40740, Protocol: 6, IngressInterface: outside, EgressInterface: inside, IngressZone: output-zone, EgressZone: input-zone, Priority: 3, GID: 1, SID: 13360, Revision: 6, Message: APP-DETECT failed FTP login attempt, Classification: Misc Activity, User: No Authentication Required, IntrusionPolicy: intrusion-policy, ACPolicy: default, NAPPolicy: Balanced Security and Connectivity",
         "event.severity": 0,
-        "event.timezone": "-02:00",
+        "event.timezone": "UTC",
         "event.type": [
             "info"
         ],

x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json

@@ -100,7 +100,7 @@
         ]
     },
     {
-        "@timestamp": "2014-04-15T11:34:34.000-02:00",
+        "@timestamp": "2014-04-15T13:34:34.000Z",
         "cisco.ftd.destination_interface": "outside",
         "cisco.ftd.message_id": "106100",
         "cisco.ftd.rule_name": "acl_in",
@@ -120,7 +120,6 @@
         "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.1.2.16(2241) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]",
         "event.outcome": "success",
         "event.severity": 5,
-        "event.timezone": "-02:00",
         "event.type": [
             "allowed",
             "connection"
@@ -1926,7 +1925,7 @@
         ]
     },
     {
-        "@timestamp": "2018-04-15T11:34:34.000-02:00",
+        "@timestamp": "2018-04-15T13:34:34.000Z",
         "cisco.ftd.destination_interface": "outside",
         "cisco.ftd.message_id": "106100",
         "cisco.ftd.rule_name": "acl_in",
@@ -1946,7 +1945,6 @@
         "event.original": "%FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]",
         "event.outcome": "success",
         "event.severity": 5,
-        "event.timezone": "-02:00",
         "event.type": [
             "allowed",
             "connection"