Better Parsing with ASA syslog messages in Filebeat

[mancharagopan]

Describe the enhancement:
Filebeat currently parsing only a few ASA syslog events. It could support more syslog events such as authentication events, command execution which are more useful for the SIEM app to analyze. At the moment SIEM not detecting firewall hostname, ip or success/failure logins.

Describe a specific use case for the enhancement or feature:
Filebeat not parsing ASA syslog message 111008 which is generated when a user execute a command, Filebeat could parse the message and also populate whether the action is successful or failure. I am using following grok filter on logstash 6.6 to parse some of the asa syslog message,

grok {
 match => { "message" => "<%{INT:recordId}>%{DATA:[hostname]} \%%{DATA:[event][dataset]}-%{INT:[severity]}-%{INT:[cisco][asa][message_id]}:" }
  }

 if "%ASA-5-111008" in [message] {
   grok {
 match => {"message" => "111008: User '%{DATA:[cisco][asa][source_username]}' %{GREEDYDATA:[event][action]}"}
     add_field => {
       "[log][original]" => "Command Executed"
       "[event][outcome]" => "success"
 }
   }
 }

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andresrc]

I think this one can be closed

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.