Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add parsing for 434001 and 434003 #31533

Merged
merged 4 commits into from
May 15, 2022
Merged

Add parsing for 434001 and 434003 #31533

merged 4 commits into from
May 15, 2022

Conversation

lukerucks
Copy link
Contributor

@lukerucks lukerucks commented May 5, 2022
edited by adriansr
Loading

What does this PR do?

This PR adds parsing for Cisco ASA 434001 and 434003 using the precise style currently used for parsing Cisco ASA 434002.

Why is it important?

We need parsing for ASA 434001, 434002, and 434003; right now only 434002 is supported, despite the others being substantially similar dissections.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

The PR uses the patterns specified here: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-400000-to-450001.html#con_7199521.
For testing the actual messages, these are sample logs:
For 434001:
<13>Apr 26 2022 10:24:37: %ASA-4-434001: SFR card not up and fail-close mode used, dropping TCP packet from outside:54.239.28.85/443 to Inside:10.12.128.89/57388

For 434003:
<13>May 30 2019 09:18:59: %ASA-4-434003: SFR requested to reset TCP connection from outside:54.239.28.85/443 to Inside:10.12.128.89/57388

Ideally a test would send these messages through filebeat with the Cisco ASA module enabled, although in this case the change is small enough to be visually inspected and compared with the working 434002 dissection that neighbors the changes and the Cisco specified log patterns from https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-400000-to-450001.html#con_7199521.

@lukerucks lukerucks requested a review from a team as a code owner May 5, 2022 16:03
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 5, 2022
@cla-checker-service
Copy link

cla-checker-service bot commented May 5, 2022
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link
Collaborator

elasticmachine commented May 5, 2022
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-05-12T08:56:23.235+0000

  • Duration: 69 min 9 sec

Test stats 🧪

Test Results
Failed 0
Passed 2099
Skipped 160
Total 2259

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 5, 2022
@andrewkroh andrewkroh added the needs_integration_sync Changes in this PR need synced to elastic/integrations. label May 5, 2022
@adriansr
Copy link
Contributor

Hi @lukerucks ,

Thanks for your contribution.

For us to proceed you need to sign the CLA.

@lukerucks
Copy link
Contributor Author

Hi @adriansr, I've signed the CLA with DocuSign; do I need to do anything else to show that I've signed it?

@efd6
Copy link
Contributor

efd6 commented May 11, 2022

/test

adriansr
adriansr reviewed May 12, 2022
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(mistake)

@adriansr adriansr self-requested a review May 12, 2022 08:58
adriansr
adriansr approved these changes May 12, 2022
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To speed things up, I've added a changelog entry and test messages myself.

Also added a missing message ID to the processor that sets event.outcome: unknown. This is for consistency with all related messages, although I think we should revisit this at some point as I think the correct outcome would be success, but out of scope for this PR.

@adriansr adriansr merged commit c87c40b into elastic:main May 15, 2022
chrisberkhout pushed a commit that referenced this pull request Jun 1, 2023
@lukerucks @chrisberkhout
Add parsing for 434001 and 434003 (#31533)
82f06a8 
This PR adds parsing for Cisco ASA 434001 and 434003 using the precise
style currently used for parsing Cisco ASA 434002.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees

@lukerucks lukerucks

Labels
enhancement Filebeat Filebeat module needs_integration_sync Changes in this PR need synced to elastic/integrations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lukerucks @elasticmachine @adriansr @efd6 @andrewkroh