[Filebeat - Module Cisco-ASA] Parsing of Cisco Event Message 734001 #16212
Comments
|
Pinging @elastic/siem (Team:SIEM) |
|
Maybe @adriansr can help here most? |
Hi @MarcusCaepio, the Cisco ASA module uses an Elasticsearch Ingest Node pipeline to do the parsing. This module is bundled into the Filebeat install. You can try making modification to your pipeline and testing the results. Any time you change the pipeline config on disk you need to reinstall it to Elasticsearch before indexing any log data. Your filebeat install will have a module/cisco/shared/ingest/asa-ftd-pipeline.yml file. You probably want to insert a beats/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml Lines 159 to 162 in 4b69bf2 After you make changes to that file you need to re-install the pipeline to ES with
so your changes take effect. Then you can send some test log lines through and check the result. If the changes work let us know and we can update the module with your changes. |
|
Hey @andrewkroh , Thanks in advance. |
|
@MarcusCaepio , go ahead with the PR. You'll have to make sure that the new fields under Instead of |
|
Hi @adriansr , |
Fixes elastic#16212 The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now.
The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now. Fixes #16212 Co-authored-by: MarcusCaepio <7324088+MarcusCaepio@users.noreply.github.com>
The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now. Fixes elastic#16212 Co-authored-by: MarcusCaepio <7324088+MarcusCaepio@users.noreply.github.com> (cherry picked from commit ac2b333)
…essage 734001. (#17128) The split part is needed, because one has to be able to search for an explicit dap_record. As the records order and number can vary a lot, just saving the whole string makes no sense. I chose "user.email", "source.ip" as ECS fields and "cisco.connection_type", "cisco.dap_records", as looking to the syslog messages docs,they also call it like that. I made "make update" in /beats/x.pack/filebeat and /beats/filebeat. Hopefully the pipeline succeeds now. Fixes #16212 (cherry picked from commit ac2b333) Co-authored-by: MarcusCaepio <7324088+MarcusCaepio@users.noreply.github.com>
Hi all,
Describe the enhancement:
we recently switched from Logstash to Ingest with filebeat-cisco-asa and unfortunately noticed, that one important cisco message is not yet ingested (correctly), the cisco.asa.message_id:734001 . These messages give information about the DAP records, which a user gets, when he connects via VPN and are very while troubleshooting VPN problems.
Describe a specific use case for the enhancement or feature:
The ID Pattern given by cisco looks like this:
%ASA-6-734001: DAP: User user, Addr ipaddr , Connection connection : The following DAP records were selected for this connection: DAP record names
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html#con_5678113
Here is a sample event:
%ASA-6-734001: DAP: User firstname.lastname@domain.com, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_name1, dap_name2The Pattern and Logstash filter, I used in the past, looks like this:
It would be very nice, if this could be Ingested by Filebeat, too. At the moment, we are not able use elastic for this use case, because we can though search the message id, but as soon as we additionally search for a username in the event.original field, the search really takes very, very long.
As I am currently totally inexperienced in creating modules. So I don't know, if I can give constructive help here. But if sb. can lend me a hand, where I have to begin (beside the docs), I will try to help.
Also relates to #14151
Thanks in advanced!
Cheers,
Marcus
The text was updated successfully, but these errors were encountered: