[Filebeat] Cisco ASA pipeline is not parsing source.port and destination.port for message ID: 302022 correctly

[hendry-lim]

For confirmed bugs, please report:

• Version: 7.11.0
• Steps to Reproduce:
  • Ingest Cisco ASA log with message ID: 302022 via syslog (I am using Logstash to ingest and utilising filebeat-7.11.0-cisco-asa-asa-ftd-pipeline pipeline).
  • Observe 400 status error:
    failed to parse field [destination.port] of type [long] in document with id 'BkAHBngB0-vqe0TpMgeC'. Preview of field's value: '7503 (172.20.64.180/7503)'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: \"7503 (172.20.64.180/7503)\"

Current dissect pattern:
Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}

Sample message:
Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051)

Dissect pattern should be changed to, e.g.:
Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[legoguy1000]

i created a PR with your fix and it looks good. do you know what the (8.8.8.5/38540) and (8.8.8.8/10051) are? If they're important we should parse them.

[legoguy1000]

From Cisco's website (https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-302003-to-342008.html)

302022
Error Message %ASA-6-302022: Built role stub TCP connection for interface :real-address /real-port (mapped-address /mapped-port ) to interface :real-address /real-port (mapped-address /mapped-port)
Explanation A TCP director/backup/forwarder flow has been created.
Recommended Action None required.

Looks liked NAT information? should this parser update to use the source.nat.* and destination.nat.*

[hendry-lim]

I am not sure, but they are the same in our case, e.g.
%ASA-6-302022: Built backup stub TCP connection for DCN-L3-TRANSIT:192.168.133.99/59672 (192.168.133.99/59672) to DCN-L3-TRANSIT-4091:172.20.64.182/7503 (172.20.64.182/7503)

[legoguy1000]

Interesting. I guess we'll just ignore them for now until someone has a better answer. I'll take the PR out of draft.

[legoguy1000]

As we work ur issue, do u have any input on this #23764? It seems to point out that the source and destination should be switched at times