Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat][Cisco ASA] log enhancement and performance #24744

Merged
merged 23 commits into from
Apr 19, 2021
Merged

[Filebeat][Cisco ASA] log enhancement and performance #24744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
769af9d
ecs fix - more message pattern
pcosic Aug 27, 2020
8e0491e
Update asa-ftd-pipeline.yml
pcosic Aug 31, 2020
b13af6e
Update asa-ftd-pipeline.yml
pcosic Sep 2, 2020
eafaae2
Update asa-ftd-pipeline.yml
pcosic Sep 2, 2020
40814cc
testing for PR and some minor fixes
pcosic Sep 8, 2020
b992fcd
commit for requested changes
pcosic Sep 18, 2020
5386064
newline
pcosic Sep 18, 2020
1775792
test
pcosic Oct 20, 2020
14aebc0
Merge branch 'master' into ingestCiscoMessagePattern
pcosic Oct 20, 2020
029083f
make test commit
pcosic Oct 20, 2020
e398834
Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so…
pcosic Oct 21, 2020
1e9da38
fixed 106014 finally
pcosic Oct 30, 2020
e664cd6
Merge remote-tracking branch 'upstream/master' into ingestCiscoMessag…
pcosic Oct 30, 2020
babe7b5
after test commit
pcosic Oct 30, 2020
faf2659
Merge remote-tracking branch 'upstream/master' into ingestCiscoMessag…
pcosic Dec 17, 2020
763132e
Test after merge
pcosic Dec 17, 2020
195e645
Merge branch 'ingestCiscoMessagePattern' of https://github.com/evoila…
andrewkroh Mar 24, 2021
24aef0f
Update generated
andrewkroh Mar 24, 2021
0abf355
Add changelog
andrewkroh Mar 24, 2021
9b154e4
Undo meraki generated file changes
andrewkroh Mar 25, 2021
1bf67a2
Merge remote-tracking branch 'elastic/master' into evoila-ingestCisco…
andrewkroh Apr 19, 2021
a5d8c88
Merge remote-tracking branch 'elastic/master' into evoila-ingestCisco…
andrewkroh Apr 19, 2021
0b32165
Update generated
andrewkroh Apr 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694]
- Fix date parsing in GSuite/login fileset. {issue}24694[24694]
- Improve Cisco ASA/FTD parsing of messages - better support for identity FW messages. Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity. Add descriptions for various processors for easier pipeline editing in Kibana UI. {pull}23766[23766]
- Fix usage of unallowed ECS event.outcome values in Cisco ASA/FTD pipeline. {pull}24744[24744].
- Updating Oauth2 flow for m365_defender fileset. {pull}24829[24829]
- Improve PanOS parsing and ingest pipeline. {issue}22413[22413] {issue}22748[22748] {pull}24799[24799]
- Fix S3 input validation for non amazonaws.com domains. {issue}24420[24420] {pull}24861[24861]
Expand Down Expand Up @@ -830,6 +831,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Support X-Forwarder-For in IIS logs. {pull}19142[192142]
- Add support for logs generated by servers configured with `log_statement` and `log_duration` in PostgreSQL module. {pull}24607[24607]
- Updating field mappings for Cisco AMP module, fixing certain fields. {pull}24661[24661]
- Added fifteen new message IDs to Cisco ASA/FTD pipeline. {pull}24744[24744]
- Added NTP fileset to Zeek module {pull}24224[24224]
- Add `proxy_url` config for httpjson v2 input. {issue}24615[24615] {pull}24662[24662]
- Add support for upper case field names in Sophos XG module {pull}24693[24693]
Expand Down
15 changes: 15 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/additional_messages.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,18 @@ Apr 27 02:03:03 dev01: %ASA-4-722051: Group <VPN5Policy> User <john> IP <192.168
Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.
Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User alice IP 192.168.50.1 WebVPN session terminated: Idle timeout.
Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23
Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from sourceInterfaceName:91.240.17.178/8888 to destinationInterfaceName:192.168.2.2/123123 locally
Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:91.240.17.138/8888 to destinationInterfaceName:192.168.2.2/514514
Apr 27 2020 02:03:03 dev01: %ASA-6-110002: Failed to locate egress interface for TCP from sourceInterfaceName:91.240.17.178/7777 to 192.168.2.2/123412
Apr 27 2020 02:03:03 dev01: %ASA-4-419002: Duplicate TCP SYN from sourceInterfaceName:91.240.17.178/7777 to destinationInterfaceName:192.168.2.2/514514 with different initial sequence number
Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.
Apr 27 2020 02:03:03 dev01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.
Apr 27 2020 02:03:03 dev01: %ASA-5-750002: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Received a IKE_INIT_SA request
Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:91.240.17.178:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database
Apr 27 2020 02:03:03 dev01: %ASA-5-713120: Group = 100.60.140.10, IP = 192.128.1.1, PHASE 2 COMPLETED (msgid=bbe383e88)
Apr 27 2020 02:03:03 dev01: %ASA-5-713202: IP = 192.64.157.61, Duplicate first packet detected. Ignoring packet.
Apr 27 2020 02:03:03 dev01: %ASA-6-713905: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable!
Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable!
Loading