Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco ASA parsing issues for event.duration, group.name and event.reason #24710

Closed
adriansr opened this issue Mar 23, 2021 · 1 comment · Fixed by #28325
Closed

Cisco ASA parsing issues for event.duration, group.name and event.reason #24710

adriansr opened this issue Mar 23, 2021 · 1 comment · Fixed by #28325
Assignees
@efd6
Labels
bug Filebeat Filebeat

Comments

@adriansr
Copy link
Contributor

For confirmed bugs, please report:

  • Version: 7.10
  • Operating System: -
  • Discuss Forum URL: -
  • Steps to Reproduce:

There are a few issues with Cisco ASA (and possibly FTD) parsing:

  • Pipeline expects session duration formatted as nn:nn:nn (hh:mm:ss). However, some messages (at least 113019) are observed to include time units: 3h:55m:49s. This leads to a bad event.duration (and event.start) calculation.

  • Some messages include group information which is currently discarded (113019, 722051, 713049, 716002, 722037). Possibly others. This should be mapped into one of the allowed ECS group objects.

  • Messages (113019, ...) include a reason which is extracted as field message, which is wrong and later dropped by the pipeline. The correct field to use in this case is event.reason.

  • This same message also includes a "session type" field. It needs investigation to see if this field can be mapped to ECS or alternatively to a custom field under cisco.asa.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 23, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 23, 2021
@efd6 efd6 self-assigned this Oct 11, 2021
@efd6 efd6 mentioned this issue Oct 11, 2021
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
bug Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x-pack/filebeat/module/cisco: loosen time parsing and add group and session type capture efd6/beats
3 participants
@adriansr @elasticmachine @efd6