Cherry-pick #21196 to 7.x: Fix: Dissect Cisco ASA 302013 message usernames#23664
Merged
andrewkroh merged 1 commit intoelastic:7.xfrom Feb 1, 2021
Merged
Cherry-pick #21196 to 7.x: Fix: Dissect Cisco ASA 302013 message usernames#23664andrewkroh merged 1 commit intoelastic:7.xfrom
andrewkroh merged 1 commit intoelastic:7.xfrom
Conversation
- Add test log containing the AAA user field
- Set destination.user.name
- Copy destination.user.name to user.name.
- Set related.user to user.name + destination.user.name.
This allows logs like this to parse
%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit d6a5f17)
Contributor
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Member
Author
|
run tests |
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
marc-gr
approved these changes
Feb 1, 2021
P1llus
approved these changes
Feb 1, 2021
| Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] | ||
| Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] | ||
| Dec 11 2018 08:01:24 <IP>: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) | ||
| Dec 11 2018 08:01:24 <IP>: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) |
Member
There was a problem hiding this comment.
Was this one meant to be removed?
Member
Author
There was a problem hiding this comment.
Yes, it's the same as the line above, but with a "corrupt" port value which I think was an accidental addition.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #21196 to 7.x branch. Original message:
Fixes ingest pipeline filebeat-7.9.1-cisco-asa-asa-ftd-pipeline to dissect messages of the following format (optional usernames):
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)\n
Currently one can only dissect this format:
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926) to vlan-42:1.2.3.4/80 (1.2.3.4/80)\n