[Filebeat] Add Cisco ASA message '302023' parsing

[chifu1234]

cisco/add adding message id 302023

What does this PR do?

This PR will add parsing for cisco asa message id 302023.

Why is it important?

This will add a common message for cisco asa clusters

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

 

%ASA-6-302022: Built backup stub TCP connection for INTERNET:1.1.1.1/57475 (1.1.1.1/57475) to INTERN:1.2.3.4/443 (1.2.3.4/443)
  |  

[cla-checker-service]

💚 CLA has been signed

[elasticmachine]

❕ Build Aborted

The PR is not allowed to run in the CI yet

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #23092 updated

• Reason: The PR is not allowed to run in the CI yet

• Start Time: 2020-12-11T16:12:02.465+0000

• Duration: 3 min 16 sec

• Commit: 94b56942f91a9b1a550f0e8a2c218b071f9dd142

Steps errors

Expand to view the steps failures

Error signal

• Took 0 min 0 sec . View more details on here
• Description: githubPrCheckApproved: The PR is not allowed to run in the CI yet. (Only users with write permission

Log output

Expand to view the last 100 lines of log output

[2020-12-11T16:13:34.091Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:13:34.096Z]  > git fetch --no-tags --progress --prune -- git@github.com:elastic/beats.git +refs/pull/23092/head:refs/remotes/origin/PR-23092 +refs/heads/master:refs/remotes/origin/master # timeout=15
[2020-12-11T16:13:35.254Z] Merging remotes/origin/master commit 6f1ae45ef4f4a792156c574ee6f59429ce820cae into PR head commit 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:13:36.744Z] Merge succeeded, producing 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:13:36.744Z] Checking out Revision 94b56942f91a9b1a550f0e8a2c218b071f9dd142 (PR-23092)
[2020-12-11T16:13:35.219Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:13:35.224Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:13:36.668Z]  > git remote # timeout=10
[2020-12-11T16:13:36.672Z]  > git config --get remote.origin.url # timeout=10
[2020-12-11T16:13:36.680Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:13:36.684Z]  > git merge 6f1ae45ef4f4a792156c574ee6f59429ce820cae # timeout=10
[2020-12-11T16:13:36.695Z]  > git rev-parse HEAD^{commit} # timeout=10
[2020-12-11T16:13:36.702Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:13:36.706Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:13:41.255Z] Commit message: "Update asa-ftd-pipeline.yml"
[2020-12-11T16:13:41.255Z] First time build. Skipping changelog.
[2020-12-11T16:13:41.255Z] Cleaning workspace
[2020-12-11T16:13:41.213Z]  > git rev-parse --verify HEAD # timeout=10
[2020-12-11T16:13:41.219Z] Resetting working tree
[2020-12-11T16:13:41.220Z]  > git reset --hard # timeout=10
[2020-12-11T16:13:41.295Z]  > git clean -fdx # timeout=10
[2020-12-11T16:13:42.358Z] Timeout set to expire in 3 hr 0 min
[2020-12-11T16:13:42.368Z] The timestamps step is unnecessary when timestamps are enabled for all Pipeline builds.
[2020-12-11T16:13:42.544Z] [INFO] Number of builds to be searched 10
[2020-12-11T16:13:43.129Z] [INFO] 'shallow' is forced to be disabled when running on PullRequests
[2020-12-11T16:13:43.138Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats
[2020-12-11T16:13:43.149Z] [INFO] gitCheckout: Checkout SCM PR-23092 with default customisation from the Item.
[2020-12-11T16:13:43.164Z] [INFO] Override default checkout
[2020-12-11T16:13:43.188Z] Sleeping for 10 sec
[2020-12-11T16:13:53.258Z] using credential f6c7695a-671e-4f4f-a331-acdce44ff9ba
[2020-12-11T16:13:53.323Z] Wiping out workspace first.
[2020-12-11T16:13:53.331Z] Cloning the remote Git repository
[2020-12-11T16:13:53.331Z] Using shallow clone with depth 10
[2020-12-11T16:13:53.331Z] Avoid fetching tags
[2020-12-11T16:13:53.300Z] Cloning repository git@github.com:elastic/beats.git
[2020-12-11T16:13:53.322Z]  > git init /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats # timeout=10
[2020-12-11T16:13:53.328Z] Fetching upstream changes from git@github.com:elastic/beats.git
[2020-12-11T16:13:53.328Z]  > git --version # timeout=10
[2020-12-11T16:13:53.331Z]  > git --version # 'git version 2.17.1'
[2020-12-11T16:13:53.331Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:13:53.335Z]  > git fetch --no-tags --progress -- git@github.com:elastic/beats.git +refs/heads/*:refs/remotes/origin/* # timeout=15
[2020-12-11T16:14:10.862Z] Cleaning workspace
[2020-12-11T16:14:10.876Z] Using shallow fetch with depth 10
[2020-12-11T16:14:10.876Z] Pruning obsolete local branches
[2020-12-11T16:14:10.803Z]  > git config remote.origin.url git@github.com:elastic/beats.git # timeout=10
[2020-12-11T16:14:10.806Z]  > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10
[2020-12-11T16:14:10.814Z]  > git config remote.origin.url git@github.com:elastic/beats.git # timeout=10
[2020-12-11T16:14:10.821Z]  > git rev-parse --verify HEAD # timeout=10
[2020-12-11T16:14:10.824Z] No valid HEAD. Skipping the resetting
[2020-12-11T16:14:10.824Z]  > git clean -fdx # timeout=10
[2020-12-11T16:14:10.835Z] Fetching upstream changes from git@github.com:elastic/beats.git
[2020-12-11T16:14:10.836Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:14:10.839Z]  > git fetch --no-tags --progress --prune -- git@github.com:elastic/beats.git +refs/pull/23092/head:refs/remotes/origin/PR-23092 +refs/heads/master:refs/remotes/origin/master # timeout=15
[2020-12-11T16:14:11.952Z] Merging remotes/origin/master commit 6f1ae45ef4f4a792156c574ee6f59429ce820cae into PR head commit 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:14:11.911Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:14:11.914Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:14:13.371Z] Merge succeeded, producing 94b56942f91a9b1a550f0e8a2c218b071f9dd142
[2020-12-11T16:14:13.371Z] Checking out Revision 94b56942f91a9b1a550f0e8a2c218b071f9dd142 (PR-23092)
[2020-12-11T16:14:13.887Z] Commit message: "Update asa-ftd-pipeline.yml"
[2020-12-11T16:14:13.887Z] Cleaning workspace
[2020-12-11T16:14:13.301Z]  > git remote # timeout=10
[2020-12-11T16:14:13.304Z]  > git config --get remote.origin.url # timeout=10
[2020-12-11T16:14:13.308Z] using GIT_SSH to set credentials GitHub user @elasticmachine SSH key
[2020-12-11T16:14:13.312Z]  > git merge 6f1ae45ef4f4a792156c574ee6f59429ce820cae # timeout=10
[2020-12-11T16:14:13.322Z]  > git rev-parse HEAD^{commit} # timeout=10
[2020-12-11T16:14:13.330Z]  > git config core.sparsecheckout # timeout=10
[2020-12-11T16:14:13.333Z]  > git checkout -f 94b56942f91a9b1a550f0e8a2c218b071f9dd142 # timeout=15
[2020-12-11T16:14:13.846Z]  > git rev-parse --verify HEAD # timeout=10
[2020-12-11T16:14:13.851Z] Resetting working tree
[2020-12-11T16:14:13.852Z]  > git reset --hard # timeout=10
[2020-12-11T16:14:14.351Z]  > git clean -fdx # timeout=10
[2020-12-11T16:14:15.623Z] Masking supported pattern matches of $GIT_USERNAME or $GIT_PASSWORD
[2020-12-11T16:14:16.204Z] + git fetch https://****:****@github.com/elastic/beats.git +refs/pull/*/head:refs/remotes/origin/pr/*
[2020-12-11T16:15:12.503Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats/.git
[2020-12-11T16:15:12.518Z] Archiving artifacts
[2020-12-11T16:15:13.166Z] + git rev-parse HEAD
[2020-12-11T16:15:13.503Z] + git rev-parse HEAD
[2020-12-11T16:15:13.796Z] + git rev-parse origin/pr/23092
[2020-12-11T16:15:13.828Z] [INFO] githubEnv: Found Git Build Cause: pr
[2020-12-11T16:15:14.140Z] Masking supported pattern matches of $GITHUB_TOKEN
[2020-12-11T16:15:15.066Z] [WARN] githubApiCall: The REST API call https://api.github.com/repos/elastic/beats/pulls/23092/reviews return 0 elements
[2020-12-11T16:15:15.087Z] [INFO] githubPrCheckApproved: Title: Update asa-ftd-pipeline.yml - User: chifu1234 - Author Association: FIRST_TIME_CONTRIBUTOR
[2020-12-11T16:15:15.326Z] ERROR: githubPrCheckApproved: The PR is not allowed to run in the CI yet
[2020-12-11T16:15:15.326Z] ERROR: githubPrCheckApproved: The PR is not allowed to run in the CI yet. (Only users with write permissions can do so.)
[2020-12-11T16:15:15.348Z] [INFO] Let's stop build #2. The PR is not allowed to run in the CI yet
[2020-12-11T16:15:15.358Z] Sleeping for 5 sec
[2020-12-11T16:15:16.664Z] Stage "Lint" skipped due to earlier failure(s)
[2020-12-11T16:15:16.691Z] Stage "Build&Test" skipped due to earlier failure(s)
[2020-12-11T16:15:16.718Z] Stage "Packaging" skipped due to earlier failure(s)
[2020-12-11T16:15:16.888Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-23092/src/github.com/elastic/beats
[2020-12-11T16:15:17.345Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-23092
[2020-12-11T16:15:17.541Z] [INFO] getVaultSecret: Getting secrets
[2020-12-11T16:15:17.606Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-12-11T16:15:18.291Z] + chmod 755 generate-build-data.sh
[2020-12-11T16:15:18.291Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/runs/2 ABORTED 195567
[2020-12-11T16:15:18.291Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/runs/2/steps/?limit=10000 -o steps-info.json
[2020-12-11T16:15:18.842Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-23092/runs/2/tests/?status=FAILED -o tests-errors.json
[2020-12-11T16:15:18.842Z] Retry 1/3 exited 22, retrying in 1 seconds...
[2020-12-11T16:15:20.185Z] Retry 2/3 exited 22, retrying in 2 seconds...
[2020-12-11T16:15:22.047Z] Retry 3/3 exited 22, no more retries left.

[chifu1234]

/check

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: andrewkroh commented: jenkins, run tests

• • Start Time: 2021-01-25T14:19:46.811+0000

• Duration: 48 min 20 sec

• Commit: 758d183

Test stats 🧪

Test	Results
Failed	0
Passed	2460
Skipped	263
Total	2723

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	2460
Skipped	263
Total	2723

[andrewkroh]

There's an extra colon in %{:network.bytes}.

[andrewkroh]

This does not match any of the samples we have

module/cisco//asa/test/additional_messages.log:May  5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner
module/cisco//asa/test/additional_messages.log:May  5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow

There's reason string at the end. https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs3.html#con_8182943

Suggested change

	pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{:network.bytes}"
	pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}"

[andrewkroh]

I pushed an update to the dissect pattern. And I updated the golden test files since they are affected by this change.

run tests

[andrewkroh]

@chifu1234 Can you please sign the CLA. https://www.elastic.co/contributor-agreement

[chifu1234]

@andrewkroh thxs will sign today

[andrewkroh]

@chifu1234 Hi, checking in to see if you could please sign the CLA. Then I'll get this merged. Thanks.

[chifu1234]

@andrewkroh sorry i did sign the CLA now.

[andrewkroh]

jenkins, run tests