[Filebeat][Cisco Module][ASA] Cisco ASA VPN logs ingest pipeline failure #32009
Assignees
Comments
botelastic
bot
added
the
needs_team
benedekmol
changed the title
6 tasks
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
This was referenced Jul 5, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the enhancement:
When there is a security group tag in the incoming log messages filebeat's ingest pipeline is unable to parse the logs.
We are using ASA as a VPN device, therefor ASA logs contain security group tags which the ingest pipeline doesn't consider and the grok patterns fail on them. So the parsing is unsucsessful.
Filebeat 8.2.3
Pipeline: filebeat-8.2.3-cisco-asa-asa-ftd-pipeline
Example log:
<190>Jun 21 2022 11:47:08: %ASA-6-302015: Built inbound UDP connection <number> for outside:<IP1>/<PORT1> (<IP1>/<PORT1>)(LOCAL\<USER>, <SGT>) to inside:<IP2>/<PORT2> (<IP2>/<PORT2>) (<USER>)Explanation:
For the example log would run this grok parser:
This "CISCO_USER" pattern needs to consider security group tags as well.
Suggestion GROK pattern:
"CISCO_USER": """((LOCAL\)?(%{HOSTNAME}\)?%{USERNAME}(@%{HOSTNAME})?(, %{NUMBER:SGT})?)"""
The text was updated successfully, but these errors were encountered: