Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Add Cisco ASA message '302023' parsing #23092

Merged
merged 2 commits into from
Jan 25, 2021
Merged

[Filebeat] Add Cisco ASA message '302023' parsing #23092

merged 2 commits into from
Jan 25, 2021

Conversation

chifu1234
Copy link
Contributor

@chifu1234 chifu1234 commented Dec 11, 2020
edited
Loading

cisco/add adding message id 302023

What does this PR do?

This PR will add parsing for cisco asa message id 302023.

Why is it important?

This will add a common message for cisco asa clusters

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

 

%ASA-6-302022: Built backup stub TCP connection for INTERNET:1.1.1.1/57475 (1.1.1.1/57475) to INTERN:1.2.3.4/443 (1.2.3.4/443)
  |  

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 11, 2020
@cla-checker-service
Copy link

cla-checker-service bot commented Dec 11, 2020
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link
Collaborator

❕ Build Aborted

The PR is not allowed to run in the CI yet

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts

Expand to view the summary

Build stats

  • Build Cause: Pull request #23092 updated

  • Reason: The PR is not allowed to run in the CI yet

  • Start Time: 2020-12-11T16:12:02.465+0000

  • Duration: 3 min 16 sec

  • Commit: 94b56942f91a9b1a550f0e8a2c218b071f9dd142

Steps errors 1

Expand to view the steps failures

Error signal
  • Took 0 min 0 sec . View more details on here
  • Description: githubPrCheckApproved: The PR is not allowed to run in the CI yet. (Only users with write permission

Log output

Expand to view the last 100 lines of log output 

[2020-12-11T16:13:34.091Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:13:34.096Z]  > git fetch --no-tags --progress --prune -- git@github.com:elastic/beats.git +refs/pull/23092/head:refs/remotes/origin/PR-23092 +refs/heads/master:refs/remotes/origin/master # timeout=15
[2020-12-11T16:13:35.254Z] Merging remotes/origin/master commit 6f1ae45ef4f4a792156c574ee6f59429ce820cae into PR head commit 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:13:36.744Z] Merge succeeded, producing 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:13:36.744Z] Checking out Revision 94b56942f91a9b1a550f0e8a2c218b071f9dd142 (PR-23092)
[2020-12-11T16:13:35.219Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:13:35.224Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:13:36.668Z]  > git remote # timeout=10
[2020-12-11T16:13:36.672Z]  > git config --get remote.origin.url # timeout=10
[2020-12-11T16:13:36.680Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:13:36.684Z]  > git merge 6f1ae45ef4f4a792156c574ee6f59429ce820cae # timeout=10
[2020-12-11T16:13:36.695Z]  > git rev-parse HEAD^{commit} # timeout=10
[2020-12-11T16:13:36.702Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:13:36.706Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:13:41.255Z] Commit message: "Update asa-ftd-pipeline.yml"
[2020-12-11T16:13:41.255Z] First time build. Skipping changelog.
[2020-12-11T16:13:41.255Z] Cleaning workspace
[2020-12-11T16:13:41.213Z]  > git rev-parse --verify HEAD # timeout=10
[2020-12-11T16:13:41.219Z] Resetting working tree
[2020-12-11T16:13:41.220Z]  > git reset --hard # timeout=10
[2020-12-11T16:13:41.295Z]  > git clean -fdx # timeout=10
[2020-12-11T16:13:42.358Z] Timeout set to expire in 3 hr 0 min
[2020-12-11T16:13:42.368Z] The timestamps step is unnecessary when timestamps are enabled for all Pipeline builds.
[2020-12-11T16:13:42.544Z] [INFO] Number of builds to be searched 10
[2020-12-11T16:13:43.129Z] [INFO] 'shallow' is forced to be disabled when running on PullRequests
[2020-12-11T16:13:43.138Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats
[2020-12-11T16:13:43.149Z] [INFO] gitCheckout: Checkout SCM PR-23092 with default customisation from the Item.
[2020-12-11T16:13:43.164Z] [INFO] Override default checkout
[2020-12-11T16:13:43.188Z] Sleeping for 10 sec
[2020-12-11T16:13:53.258Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
[2020-12-11T16:13:53.323Z] Wiping out workspace first.
[2020-12-11T16:13:53.331Z] Cloning the remote Git repository
[2020-12-11T16:13:53.331Z] Using shallow clone with depth 10
[2020-12-11T16:13:53.331Z] Avoid fetching tags
[2020-12-11T16:13:53.300Z] Cloning repository git@github.com:elastic/beats.git
[2020-12-11T16:13:53.322Z]  > git init /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats # timeout=10
[2020-12-11T16:13:53.328Z] Fetching upstream changes from git@github.com:elastic/beats.git
[2020-12-11T16:13:53.328Z]  > git --version # timeout=10
[2020-12-11T16:13:53.331Z]  > git --version # 'git version 2.17.1'
[2020-12-11T16:13:53.331Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:13:53.335Z]  > git fetch --no-tags --progress -- git@github.com:elastic/beats.git +refs/heads/*:refs/remotes/origin/* # timeout=15
[2020-12-11T16:14:10.862Z] Cleaning workspace
[2020-12-11T16:14:10.876Z] Using shallow fetch with depth 10
[2020-12-11T16:14:10.876Z] Pruning obsolete local branches
[2020-12-11T16:14:10.803Z]  > git config remote.origin.url git@github.com:elastic/beats.git # timeout=10
[2020-12-11T16:14:10.806Z]  > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10
[2020-12-11T16:14:10.814Z]  > git config remote.origin.url git@github.com:elastic/beats.git # timeout=10
[2020-12-11T16:14:10.821Z]  > git rev-parse --verify HEAD # timeout=10
[2020-12-11T16:14:10.824Z] No valid HEAD. Skipping the resetting
[2020-12-11T16:14:10.824Z]  > git clean -fdx # timeout=10
[2020-12-11T16:14:10.835Z] Fetching upstream changes from git@github.com:elastic/beats.git
[2020-12-11T16:14:10.836Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:14:10.839Z]  > git fetch --no-tags --progress --prune -- git@github.com:elastic/beats.git +refs/pull/23092/head:refs/remotes/origin/PR-23092 +refs/heads/master:refs/remotes/origin/master # timeout=15
[2020-12-11T16:14:11.952Z] Merging remotes/origin/master commit 6f1ae45ef4f4a792156c574ee6f59429ce820cae into PR head commit 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:14:11.911Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:14:11.914Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:14:13.371Z] Merge succeeded, producing 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:14:13.371Z] Checking out Revision 94b56942f91a9b1a550f0e8a2c218b071f9dd142 (PR-23092)
[2020-12-11T16:14:13.887Z] Commit message: "Update asa-ftd-pipeline.yml"
[2020-12-11T16:14:13.887Z] Cleaning workspace
[2020-12-11T16:14:13.301Z]  > git remote # timeout=10
[2020-12-11T16:14:13.304Z]  > git config --get remote.origin.url # timeout=10
[2020-12-11T16:14:13.308Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:14:13.312Z]  > git merge 6f1ae45ef4f4a792156c574ee6f59429ce820cae # timeout=10
[2020-12-11T16:14:13.322Z]  > git rev-parse HEAD^{commit} # timeout=10
[2020-12-11T16:14:13.330Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:14:13.333Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:14:13.846Z]  > git rev-parse --verify HEAD # timeout=10
[2020-12-11T16:14:13.851Z] Resetting working tree
[2020-12-11T16:14:13.852Z]  > git reset --hard # timeout=10
[2020-12-11T16:14:14.351Z]  > git clean -fdx # timeout=10
[2020-12-11T16:14:15.623Z] Masking supported pattern matches of $GIT_USERNAME or $GIT_PASSWORD
[2020-12-11T16:14:16.204Z] + git fetch https://****:****@github.com/elastic/beats.git +refs/pull/*/head:refs/remotes/origin/pr/*
[2020-12-11T16:15:12.503Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats/.git
[2020-12-11T16:15:12.518Z] Archiving artifacts
[2020-12-11T16:15:13.166Z] + git rev-parse HEAD
[2020-12-11T16:15:13.503Z] + git rev-parse HEAD
[2020-12-11T16:15:13.796Z] + git rev-parse origin/pr/23092
[2020-12-11T16:15:13.828Z] [INFO] githubEnv: Found Git Build Cause: pr
[2020-12-11T16:15:14.140Z] Masking supported pattern matches of $GITHUB_TOKEN
[2020-12-11T16:15:15.066Z] [WARN] githubApiCall: The REST API call https://api.github.com/repos/elastic/beats/pulls/23092/reviews return 0 elements
[2020-12-11T16:15:15.087Z] [INFO] githubPrCheckApproved: Title: Update asa-ftd-pipeline.yml - User: chifu1234 - Author Association: FIRST_TIME_CONTRIBUTOR
[2020-12-11T16:15:15.326Z] ERROR: githubPrCheckApproved: The PR is not allowed to run in the CI yet
[2020-12-11T16:15:15.326Z] ERROR: githubPrCheckApproved: The PR is not allowed to run in the CI yet. (Only users with write permissions can do so.)
[2020-12-11T16:15:15.348Z] [INFO] Let's stop build #2. The PR is not allowed to run in the CI yet
[2020-12-11T16:15:15.358Z] Sleeping for 5 sec
[2020-12-11T16:15:16.664Z] Stage "Lint" skipped due to earlier failure(s)
[2020-12-11T16:15:16.691Z] Stage "Build&Test" skipped due to earlier failure(s)
[2020-12-11T16:15:16.718Z] Stage "Packaging" skipped due to earlier failure(s)
[2020-12-11T16:15:16.888Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats
[2020-12-11T16:15:17.345Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-23092
[2020-12-11T16:15:17.541Z] [INFO] getVaultSecret: Getting secrets
[2020-12-11T16:15:17.606Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-12-11T16:15:18.291Z] + chmod 755 generate-build-data.sh
[2020-12-11T16:15:18.291Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/runs/2 ABORTED 195567
[2020-12-11T16:15:18.291Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/runs/2/steps/?limit=10000 -o steps-info.json
[2020-12-11T16:15:18.842Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/runs/2/tests/?status=FAILED -o tests-errors.json
[2020-12-11T16:15:18.842Z] Retry 1/3 exited 22, retrying in 1 seconds...
[2020-12-11T16:15:20.185Z] Retry 2/3 exited 22, retrying in 2 seconds...
[2020-12-11T16:15:22.047Z] Retry 3/3 exited 22, no more retries left.

@chifu1234
Copy link
Contributor Author

/check

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 12, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 17, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: andrewkroh commented: jenkins, run tests

    • Start Time: 2021-01-25T14:19:46.811+0000

  • Duration: 48 min 20 sec

  • Commit: 758d183

Test stats 🧪

Test Results
Failed 0
Passed 2460
Skipped 263
Total 2723

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 2460
Skipped 263
Total 2723

andrewkroh
andrewkroh reviewed Jan 13, 2021
View reviewed changes
x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml Outdated
- dissect:
if: "ctx._temp_.cisco.message_id == '302023'"
field: "message"
pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{:network.bytes}"
Copy link
Member

@andrewkroh andrewkroh Jan 13, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an extra colon in %{:network.bytes}.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not match any of the samples we have

module/cisco//asa/test/additional_messages.log:May  5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner
module/cisco//asa/test/additional_messages.log:May  5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow

There's reason string at the end. https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs3.html#con_8182943

Suggested change
pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{:network.bytes}"
pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}"

@andrewkroh
Copy link
Member

andrewkroh commented Jan 13, 2021
edited
Loading

I pushed an update to the dissect pattern. And I updated the golden test files since they are affected by this change.

run tests

@andrewkroh
Copy link
Member

@chifu1234 Can you please sign the CLA. https://www.elastic.co/contributor-agreement

@andrewkroh andrewkroh added enhancement Filebeat Filebeat needs CLA User must sign the Elastic Contributor License before review. labels Jan 13, 2021
@andrewkroh andrewkroh changed the title Update asa-ftd-pipeline.yml [Filebeat] Add Cisco ASA message '302023' parsing Jan 13, 2021
@chifu1234
Copy link
Contributor Author

@andrewkroh thxs will sign today

@chifu1234 chifu1234 force-pushed the master branch 5 times, most recently from fcf2df9 to 32ced53 Compare January 13, 2021 08:22
@chifu1234
Update asa-ftd-pipeline.yml
b7a94a1 
cisco/add adding message id 302023

Signed-off-by: Kevin  Klopfenstein <kk@sudo-i.net>
@chifu1234
Update asa-ftd-pipeline.yml
758d183 
cisco/add adding message id 302023

Signed-off-by: Kevin  Klopfenstein <kk@sudo-i.net>
Signed-off-by: kevin <kk@sudo-i.net>
@andrewkroh
Copy link
Member

@chifu1234 Hi, checking in to see if you could please sign the CLA. Then I'll get this merged. Thanks.

@chifu1234
Copy link
Contributor Author

@andrewkroh sorry i did sign the CLA now.

@andrewkroh
Copy link
Member

jenkins, run tests

@andrewkroh andrewkroh merged commit 47889eb into elastic:master Jan 25, 2021
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Jan 25, 2021
@chifu1234 @andrewkroh
[Filebeat] Add Cisco ASA message '302023' parsing (elastic#23092)
0379ba9 
Enhance message parsing to Cisco ASA message 302023.

Signed-off-by: Kevin  Klopfenstein <kk@sudo-i.net>
Signed-off-by: kevin <kk@sudo-i.net>
(cherry picked from commit 47889eb)
@andrewkroh andrewkroh mentioned this pull request Jan 25, 2021
Merged
6 tasks
andrewkroh added a commit that referenced this pull request Jan 25, 2021
@andrewkroh @chifu1234
[Filebeat] Add Cisco ASA message '302023' parsing (#23092) (#23660)
b492c16 
Enhance message parsing to Cisco ASA message 302023.

Signed-off-by: Kevin  Klopfenstein <kk@sudo-i.net>
Signed-off-by: kevin <kk@sudo-i.net>
(cherry picked from commit 47889eb)

Co-authored-by: Kevin Klopfenstein <kk@sudo-i.net>
v1v added a commit to v1v/beats that referenced this pull request Jan 26, 2021
@v1v
Merge remote-tracking branch 'upstream/master' into feature/linting-x…
b9ddb3b 
…pack-when-oss-changes

* upstream/master:
  [DOCS] Add setup content to Kubernetes and Cloud Foundry docs (elastic#23580)
  [CI] Mandatory windows support for all the versions (elastic#23615)
  Add check when retrieving the worker process id using performance counters  (elastic#23647)
  Remove 4912 evtx from testing (elastic#23669)
  Add missing SSL settings (elastic#23632)
  Update X-Pack Packetbeat config (elastic#23666)
  Use hostname check from verify.go to handle patterns in TLS certs (elastic#23661)
  Fix: Dissect Cisco ASA 302013 message usernames (elastic#21196)
  Add FAQ entry for MADV settings in older versions (elastic#23429)
  Sync fixes from Integration Package Testing (elastic#23424)
  [Filebeat] Add Cisco ASA message '302023' parsing (elastic#23092)
  [Elastic Log Driver] Change hosts config flag (elastic#23628)
  Audit and Authentication Policy Change Events (elastic#20684)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
enhancement Filebeat Filebeat needs CLA User must sign the Elastic Contributor License before review. v7.12.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@chifu1234 @elasticmachine @andrewkroh @andresrc