Fix: Dissect Cisco ASA 302013 message usernames (#21196) (#23664)

- Add test log containing the AAA user field
- Set destination.user.name
- Copy destination.user.name to user.name.
- Set related.user to user.name + destination.user.name.

This allows logs like this to parse

    %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)

Co-authored-by: Andrew Kroh <[email protected]>
(cherry picked from commit d6a5f17)

Co-authored-by: Michael Koch <[email protected]>

CHANGELOG.next.asciidoc

@@ -565,6 +565,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157]
 - Added support for first_event context in filebeat httpjson input {pull}23437[23437]
 - Added `alternative_host` option to google pubsub input {pull}23215[23215]
+- Added username parsing from Cisco ASA message 302013. {pull}21196[21196]
 - Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478]
 
 *Heartbeat*

x-pack/filebeat/module/cisco/asa/test/sample.log

@@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/1
 Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Dec 11 2018 08:01:24 <IP>: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)
-Dec 11 2018 08:01:24 <IP>: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)
 Dec 11 2018 08:01:24 <IP>: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:24 <IP>: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:31 <IP>: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
@@ -70,3 +69,4 @@ Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traf
 Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app
 Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com
 Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside
+Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)

x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json

@@ -2049,7 +2049,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 6318,
+        "log.offset": 6138,
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "dmz",
@@ -2100,7 +2100,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 6468,
+        "log.offset": 6288,
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "dmz",
@@ -2153,7 +2153,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 6618,
+        "log.offset": 6438,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2209,7 +2209,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 6788,
+        "log.offset": 6608,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2265,7 +2265,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 6958,
+        "log.offset": 6778,
         "network.bytes": 14804,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2319,7 +2319,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7123,
+        "log.offset": 6943,
         "network.bytes": 134781,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2373,7 +2373,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7289,
+        "log.offset": 7109,
         "network.bytes": 134781,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2422,7 +2422,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7455,
+        "log.offset": 7275,
         "network.transport": "(no",
         "observer.egress.interface.name": "outside",
         "observer.product": "asa",
@@ -2468,7 +2468,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7597,
+        "log.offset": 7417,
         "network.transport": "(no",
         "observer.egress.interface.name": "outside",
         "observer.product": "asa",
@@ -2517,7 +2517,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 7739,
+        "log.offset": 7559,
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "dmz",
@@ -2570,7 +2570,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7890,
+        "log.offset": 7710,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2624,7 +2624,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 8064,
+        "log.offset": 7884,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2678,7 +2678,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 8238,
+        "log.offset": 8058,
         "network.bytes": 11420,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2732,7 +2732,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 8403,
+        "log.offset": 8223,
         "network.bytes": 1416,
         "network.iana_number": 17,
         "network.transport": "udp",
@@ -2781,7 +2781,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8545,
+        "log.offset": 8365,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2829,7 +2829,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8666,
+        "log.offset": 8486,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2877,7 +2877,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8787,
+        "log.offset": 8607,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2925,7 +2925,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8908,
+        "log.offset": 8728,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2973,7 +2973,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9029,
+        "log.offset": 8849,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3021,7 +3021,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9150,
+        "log.offset": 8970,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3069,7 +3069,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9271,
+        "log.offset": 9091,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3117,7 +3117,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9393,
+        "log.offset": 9213,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3168,7 +3168,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 9515,
+        "log.offset": 9335,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "outside",
@@ -3220,7 +3220,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "error",
-        "log.offset": 9669,
+        "log.offset": 9489,
         "network.iana_number": 1,
         "network.transport": "icmp",
         "observer.egress.interface.name": "Outside",
@@ -3269,7 +3269,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 9779,
+        "log.offset": 9599,
         "network.iana_number": 1,
         "network.transport": "icmp",
         "observer.egress.interface.name": "inside",
@@ -3322,7 +3322,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 9915,
+        "log.offset": 9735,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "inside",
@@ -3383,7 +3383,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 10166,
+        "log.offset": 9986,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "inside",
@@ -3440,7 +3440,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 10465,
+        "log.offset": 10285,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "inside",
@@ -3487,7 +3487,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 10762,
+        "log.offset": 10582,
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
@@ -3529,7 +3529,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 10839,
+        "log.offset": 10659,
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
@@ -3572,7 +3572,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 10931,
+        "log.offset": 10751,
         "observer.egress.interface.name": "inside",
         "observer.product": "asa",
         "observer.type": "firewall",
@@ -3589,5 +3589,73 @@
             "forwarded"
         ],
         "url.original": "http://www.example.net/images/favicon.ico"
+    },
+    {
+        "@timestamp": "2021-01-13T19:12:37.000-02:00",
+        "cisco.asa.connection_id": "27215708",
+        "cisco.asa.destination_interface": "vlan-42",
+        "cisco.asa.mapped_destination_ip": "1.2.3.4",
+        "cisco.asa.mapped_destination_port": 80,
+        "cisco.asa.mapped_source_ip": "1.2.3.4",
+        "cisco.asa.mapped_source_port": 49926,
+        "cisco.asa.message_id": "302013",
+        "cisco.asa.source_interface": "internet",
+        "cisco.asa.source_username": "LOCAL\\username",
+        "destination.address": "1.2.3.4",
+        "destination.geo.city_name": "Moscow",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "RU",
+        "destination.geo.country_name": "Russia",
+        "destination.geo.location.lat": 55.7527,
+        "destination.geo.location.lon": 37.6172,
+        "destination.geo.region_iso_code": "RU-MOW",
+        "destination.geo.region_name": "Moscow",
+        "destination.ip": "1.2.3.4",
+        "destination.port": 80,
+        "destination.user.name": "username",
+        "event.action": "firewall-rule",
+        "event.category": [
+            "network"
+        ],
+        "event.code": 302013,
+        "event.dataset": "cisco.asa",
+        "event.kind": "event",
+        "event.module": "cisco",
+        "event.original": "%ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)",
+        "event.severity": 6,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "fileset.name": "asa",
+        "input.type": "log",
+        "log.file.path": "sample.log",
+        "log.level": "informational",
+        "log.offset": 10899,
+        "network.direction": "inbound",
+        "network.iana_number": 6,
+        "network.transport": "tcp",
+        "observer.egress.interface.name": "internet",
+        "observer.ingress.interface.name": "vlan-42",
+        "observer.product": "asa",
+        "observer.type": "firewall",
+        "observer.vendor": "Cisco",
+        "related.ip": [
+            "10.2.3.4",
+            "1.2.3.4"
+        ],
+        "related.user": [
+            "username"
+        ],
+        "service.type": "cisco",
+        "source.address": "10.2.3.4",
+        "source.ip": "10.2.3.4",
+        "source.nat.ip": "1.2.3.4",
+        "source.port": 49926,
+        "tags": [
+            "cisco-asa",
+            "forwarded"
+        ],
+        "user.name": "username"
     }
 ]

x-pack/filebeat/module/cisco/ftd/test/sample.log

@@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/1
 Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)
-Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)
 Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)