diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 33b7a43f0eb..858a4808d86 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -565,6 +565,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157] - Added support for first_event context in filebeat httpjson input {pull}23437[23437] - Added `alternative_host` option to google pubsub input {pull}23215[23215] +- Added username parsing from Cisco ASA message 302013. {pull}21196[21196] - Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478] *Heartbeat* diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log index 699d191e377..73ea89341b0 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/1 Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) @@ -70,3 +69,4 @@ Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traf Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside +Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index c990e91c7c3..b2c1d4cb876 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -2049,7 +2049,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 6318, + "log.offset": 6138, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2100,7 +2100,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 6468, + "log.offset": 6288, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2153,7 +2153,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 6618, + "log.offset": 6438, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2209,7 +2209,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 6788, + "log.offset": 6608, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2265,7 +2265,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 6958, + "log.offset": 6778, "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", @@ -2319,7 +2319,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7123, + "log.offset": 6943, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2373,7 +2373,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7289, + "log.offset": 7109, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2422,7 +2422,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7455, + "log.offset": 7275, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.product": "asa", @@ -2468,7 +2468,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7597, + "log.offset": 7417, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.product": "asa", @@ -2517,7 +2517,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 7739, + "log.offset": 7559, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2570,7 +2570,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7890, + "log.offset": 7710, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2624,7 +2624,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 8064, + "log.offset": 7884, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2678,7 +2678,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 8238, + "log.offset": 8058, "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", @@ -2732,7 +2732,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 8403, + "log.offset": 8223, "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", @@ -2781,7 +2781,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8545, + "log.offset": 8365, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2829,7 +2829,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8666, + "log.offset": 8486, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2877,7 +2877,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8787, + "log.offset": 8607, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2925,7 +2925,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8908, + "log.offset": 8728, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2973,7 +2973,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9029, + "log.offset": 8849, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3021,7 +3021,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9150, + "log.offset": 8970, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3069,7 +3069,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9271, + "log.offset": 9091, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3117,7 +3117,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9393, + "log.offset": 9213, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3168,7 +3168,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 9515, + "log.offset": 9335, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3220,7 +3220,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "error", - "log.offset": 9669, + "log.offset": 9489, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -3269,7 +3269,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 9779, + "log.offset": 9599, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "inside", @@ -3322,7 +3322,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 9915, + "log.offset": 9735, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3383,7 +3383,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 10166, + "log.offset": 9986, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3440,7 +3440,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 10465, + "log.offset": 10285, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3487,7 +3487,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", - "log.offset": 10762, + "log.offset": 10582, "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3529,7 +3529,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", - "log.offset": 10839, + "log.offset": 10659, "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3572,7 +3572,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", - "log.offset": 10931, + "log.offset": 10751, "observer.egress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", @@ -3589,5 +3589,73 @@ "forwarded" ], "url.original": "http://www.example.net/images/favicon.ico" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.connection_id": "27215708", + "cisco.asa.destination_interface": "vlan-42", + "cisco.asa.mapped_destination_ip": "1.2.3.4", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "1.2.3.4", + "cisco.asa.mapped_source_port": 49926, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "internet", + "cisco.asa.source_username": "LOCAL\\username", + "destination.address": "1.2.3.4", + "destination.geo.city_name": "Moscow", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", + "destination.geo.location.lat": 55.7527, + "destination.geo.location.lon": 37.6172, + "destination.geo.region_iso_code": "RU-MOW", + "destination.geo.region_name": "Moscow", + "destination.ip": "1.2.3.4", + "destination.port": 80, + "destination.user.name": "username", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 10899, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "internet", + "observer.ingress.interface.name": "vlan-42", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.2.3.4", + "1.2.3.4" + ], + "related.user": [ + "username" + ], + "service.type": "cisco", + "source.address": "10.2.3.4", + "source.ip": "10.2.3.4", + "source.nat.ip": "1.2.3.4", + "source.port": 49926, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "username" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log b/x-pack/filebeat/module/cisco/ftd/test/sample.log index df85fe9a096..09da866b488 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log @@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/1 Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 2da68247742..d416dcb068c 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -2013,7 +2013,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "warning", - "log.offset": 6328, + "log.offset": 6143, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2067,7 +2067,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "warning", - "log.offset": 6483, + "log.offset": 6298, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2123,7 +2123,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 6638, + "log.offset": 6453, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2180,7 +2180,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 6813, + "log.offset": 6628, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2237,7 +2237,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 6988, + "log.offset": 6803, "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", @@ -2294,7 +2294,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7158, + "log.offset": 6973, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2351,7 +2351,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7329, + "log.offset": 7144, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2403,7 +2403,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7500, + "log.offset": 7315, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", @@ -2452,7 +2452,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7647, + "log.offset": 7462, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", @@ -2504,7 +2504,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "warning", - "log.offset": 7794, + "log.offset": 7609, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2560,7 +2560,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7950, + "log.offset": 7765, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2617,7 +2617,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 8129, + "log.offset": 7944, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2674,7 +2674,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 8308, + "log.offset": 8123, "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", @@ -2730,7 +2730,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "informational", - "log.offset": 8478, + "log.offset": 8293, "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", @@ -2778,7 +2778,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8620, + "log.offset": 8435, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2825,7 +2825,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8741, + "log.offset": 8556, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2872,7 +2872,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8862, + "log.offset": 8677, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2919,7 +2919,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8983, + "log.offset": 8798, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2966,7 +2966,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9104, + "log.offset": 8919, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3013,7 +3013,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9225, + "log.offset": 9040, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3060,7 +3060,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9346, + "log.offset": 9161, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3107,7 +3107,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9468, + "log.offset": 9283, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3157,7 +3157,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "warning", - "log.offset": 9590, + "log.offset": 9405, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3208,7 +3208,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "error", - "log.offset": 9744, + "log.offset": 9559, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -3256,7 +3256,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 9854, + "log.offset": 9669, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "inside", @@ -3308,7 +3308,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 9990, + "log.offset": 9805, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3369,7 +3369,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 10241, + "log.offset": 10056, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3426,7 +3426,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 10540, + "log.offset": 10355, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3472,7 +3472,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "notification", - "log.offset": 10839, + "log.offset": 10654, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3513,7 +3513,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "notification", - "log.offset": 10916, + "log.offset": 10731, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3555,7 +3555,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "notification", - "log.offset": 11008, + "log.offset": 10823, "observer.egress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index c46227b79a1..44bbb22f088 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -297,10 +297,11 @@ processors: if: "ctx._temp_.cisco.message_id == '113019'" field: "message" pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - - dissect: + - grok: if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" @@ -1576,6 +1577,13 @@ processors: } } + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - set: field: observer.hostname @@ -1613,6 +1621,11 @@ processors: field: related.user value: "{{user.name}}" if: "ctx?.user?.name != null" + - append: + field: related.user + value: "{{destination.user.name}}" + allow_duplicates: false + if: "ctx?.destination?.user?.name != null" - append: field: related.hash value: "{{file.hash.sha256}}"