For confirmed bugs, please report:
- Version: 7.10
- Operating System: -
- Discuss Forum URL: -
- Steps to Reproduce:
There are a few issues with Cisco ASA (and possibly FTD) parsing:
-
Pipeline expects session duration formatted as nn:nn:nn (hh:mm:ss). However, some messages (at least 113019) are observed to include time units: 3h:55m:49s. This leads to a bad event.duration (and event.start) calculation.
-
Some messages include group information which is currently discarded (113019, 722051, 713049, 716002, 722037). Possibly others. This should be mapped into one of the allowed ECS group objects.
-
Messages (113019, ...) include a reason which is extracted as field message, which is wrong and later dropped by the pipeline. The correct field to use in this case is event.reason.
-
This same message also includes a "session type" field. It needs investigation to see if this field can be mapped to ECS or alternatively to a custom field under cisco.asa.
For confirmed bugs, please report:
There are a few issues with Cisco ASA (and possibly FTD) parsing:
Pipeline expects session duration formatted as
nn:nn:nn(hh:mm:ss). However, some messages (at least 113019) are observed to include time units:3h:55m:49s. This leads to a bad event.duration (and event.start) calculation.Some messages include group information which is currently discarded (113019, 722051, 713049, 716002, 722037). Possibly others. This should be mapped into one of the allowed ECS group objects.
Messages (113019, ...) include a reason which is extracted as field
message, which is wrong and later dropped by the pipeline. The correct field to use in this case isevent.reason.This same message also includes a "session type" field. It needs investigation to see if this field can be mapped to ECS or alternatively to a custom field under
cisco.asa.