Skip to content

Commit

Permalink
[Filebeat] Fix dissect pattern for Cisco WebVPN message 716002 (#22966)…
Browse files Browse the repository at this point in the history 
… (#23131)

The message can contain one of several session termination reasons so don't hardcode "User requested" into the pattern.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs8.html#con_4776918
(cherry picked from commit 6955f81)
  • Loading branch information
@andrewkroh
andrewkroh committed Dec 15, 2020
1 parent 7f326f7 commit 5d1464c
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix network.direction logic in zeek connection fileset. {pull}22967[22967]
- Fix aws s3 overview dashboard. {pull}23045[23045]
- Fix bad `network.direction` values in Fortinet/firewall fileset. {pull}23072[23072]
- Fix Cisco ASA/FTD module's parsing of WebVPN log message 716002. {pull}22966[22966]

*Heartbeat*

Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/module/cisco/asa/test/additional_messages.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,5 @@ Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178,
Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested
Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session
Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.
Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.
Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23
44 changes: 43 additions & 1 deletion x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3056,6 +3056,7 @@
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.",
"event.reason": "User Requested.",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
Expand Down Expand Up @@ -3092,6 +3093,47 @@
"forwarded"
]
},
{
"cisco.asa.message_id": "716002",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 716002,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.",
"event.reason": "Idle timeout.",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 9810,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"related.ip": [
"192.168.50.1"
],
"service.type": "cisco",
"source.address": "192.168.50.1",
"source.ip": "192.168.50.1",
"source.user.name": "alice",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.destination_interface": "outside",
"cisco.asa.message_id": "710003",
Expand Down Expand Up @@ -3126,7 +3168,7 @@
"host.hostname": "dev01",
"input.type": "log",
"log.level": "error",
"log.offset": 9810,
"log.offset": 9937,
"network.iana_number": 6,
"network.transport": "tcp",
"observer.hostname": "dev01",
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -546,7 +546,7 @@ processors:
- dissect:
if: "ctx._temp_.cisco.message_id == '716002'"
field: "message"
pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested."
pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: %{event.reason}"
- dissect:
if: "ctx._temp_.cisco.message_id == '722051'"
field: "message"
Expand Down

0 comments on commit 5d1464c

Please sign in to comment.