Version: 7.8.0
Steps to Reproduce:
The ASA 106100 log event can produce log lines similar to both of the following:
%ASA-6-106100: access-list blabla_incoming_list permitted udp dmz2/1.2.3.4(56575) -> inside/2.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]
%ASA-6-106100: access-list blabla_incoming_list permitted udp dmz2/1.2.3.4(56575)(LOCAL\\username) -> inside/2.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]
Currently the second log (with the username) event cannot be indexed because the dissect pattern crashes.
Dissect Pattern in beats/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml:
- dissect:
if: "ctx._temp_.cisco.message_id == '106100'"
field: "message"
pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}"
Cisco Syslog Reference for Event 106100:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769049
The ASA 106100 log event can produce log lines similar to both of the following:
Currently the second log (with the username) event cannot be indexed because the dissect pattern crashes.
Dissect Pattern in beats/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml:
Cisco Syslog Reference for Event 106100:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769049