Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco module ingest processor for ASA 106023 events doesn't account for all possibilities #18846

Closed
makeitthingsbetter opened this issue May 29, 2020 · 3 comments
Closed

Cisco module ingest processor for ASA 106023 events doesn't account for all possibilities #18846

makeitthingsbetter opened this issue May 29, 2020 · 3 comments
Labels
enhancement Filebeat Filebeat

Comments

@makeitthingsbetter
Copy link

  • Version: 7.7.0
  • Steps to Reproduce:

The ASA 106023 log event can produce log lines similar to both of the following:

%ASA-4-106023: Deny tcp src outside:1.2.3.4/35539 dst inside:2.3.4.5/8530 by access-group "outside_incoming_list" [0x0, 0x0]
or
%ASA-4-106023: Deny udp src outside:11.2.3.4/4104(LOCAL\username) dst inside:2.3.4.5/4104 by access-group "outside_incoming_list" [0x0, 0x0]

Currently the second log (with the username) event cannot be indexed because the dissect pattern crashes.

Dissect Pattern in beats/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml:

 - dissect:
      if: "ctx._temp_.cisco.message_id == '106023'"
      field: "message"
      pattern: '%{event.outcome} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{} access%{}group "%{_temp_.cisco.list_id}"%{}'
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 29, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 1, 2020
@makeitthingsbetter
Copy link
Author

Update:
Issue also in 7.8.0 present

@adriansr
Copy link
Contributor

This was fixed by #17964

The fix will appear in 7.8.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@andresrc @andrewkroh @adriansr @elasticmachine @makeitthingsbetter