fixes

elastic · Mar 18, 2020 · 5e01828 · 5e01828
1 parent b65f0a4
commit 5e01828
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json
@@ -0,0 +1,35 @@
+[
+    {
+        "cisco.asa.connection_type": "AnyConnect",
+        "cisco.asa.dap_records": [
+            "dap_1",
+            "dap_2"
+        ],
+        "cisco.asa.message_id": "734001",
+        "event.action": "firewall-rule",
+        "event.code": 734001,
+        "event.dataset": "cisco.asa",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-734001: DAP: User firsname.lastname@domain.net, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_1, dap_2",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "fileset.name": "asa",
+        "input.type": "log",
+        "log.level": "informational",
+        "log.offset": 0,
+        "service.type": "cisco",
+        "source.address": "1.2.3.4",
+        "source.geo.city_name": "Moscow",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "RU",
+        "source.geo.location.lat": 55.7527,
+        "source.geo.location.lon": 37.6172,
+        "source.geo.region_iso_code": "RU-MOW",
+        "source.geo.region_name": "Moscow",
+        "source.ip": "1.2.3.4",
+        "tags": [
+            "cisco-asa"
+        ],
+        "user.email": "firsname.lastname@domain.net"
+    }
+]
diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -423,10 +423,11 @@ processors:
   - dissect:
       if: "ctx._temp_.cisco.message_id == '734001'"
       field: "message"
-      pattern: "DAP: User %{user.email}, Addr %{source.ip}, Connection %{cisco.connection_type}: The following DAP records were selected for this connection: %{cisco.dap_records->}"
+      pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}"
   - split:
-      field: "cisco.dap_records"
+      field: "_temp_.cisco.dap_records"
       separator: ",\\s+"
+      ignore_missing: true
 
   #
   # Handle 302xxx messages (Flow expiration a.k.a "Teardown")