Fix: Dissect Cisco ASA 302013 message usernames #21196
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
botelastic
bot
added
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
removed
the
needs_team
|
Hi! We're labeling this issue as |
|
We are using this change for our ASA logs, would be nice if it gets pulled into the official releases. Let me know if you need anything else. |
|
Hi! We're labeling this issue as |
|
+1 |
|
jenkins run tests |
|
@C0FFEEC0FFEE thanks for contributing, could you please update your branch with master? it seems to be outdated |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
I updated my branch with master. |
|
jenkins run tests |
|
This is failing the test suite because it cannot parse the log sample at
The error is
|
botelastic
bot
added
the
Team:Automation
This allows logs like this to parse
%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
andrewkroh
force-pushed
the
C0FFEEC0FFEE-patch-1
branch
from
17f17ec
to
f70b89a
Compare
There was a problem hiding this comment.
I pushed two updates to this PR:
- Add a test case with a 302013 log that has the AAA user name.
- Change the grok
IPfields toNOTSPACEbecause there was a test case that hadOCSP_serveras the address value. I'm not sure of the origin of this log sample to know if it is valid. - Removed a test log that had the port value as
80port>. That looked like some kind of developer error when creating sample logs.
My only question is where client.user.name is the correct place for the user name to go.
| "cisco.asa.message_id": "302013", | ||
| "cisco.asa.source_interface": "internet", | ||
| "cisco.asa.source_username": "LOCAL\\username", | ||
| "client.user.name": "username", |
There was a problem hiding this comment.
Perhaps this should go to user.name instead?
There was a problem hiding this comment.
I'm not sure. Maybe this should go to both client.user.name and user.name, as well as related.user?
In my interpretation of the ECS it fits best to client.user.name since the user initiates a TCP connection:
For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). ECS docs
There was a problem hiding this comment.
According to https://www.elastic.co/guide/en/ecs/1.x/ecs-user-usage.html:
In order to align with ECS' design of having user at the root of the event as the user performing the action, all source.user fields should be copied to user at the root.
I guess it should be copied to user.name and also kept in client.user.name if we understand client is equivalent to source in here.
PS: what @C0FFEEC0FFEE said, was writing it while you posted it also 😄
There was a problem hiding this comment.
Ok, I pushed an update. I think the new user name that is being parsed from this message is actually associated with the destination so I set destination.user.name. Then I set the user.name with that value if it wasn't already set. Then I setup related.user with user.name + destination.user.name (no duplicates).
andrewkroh
added
enhancement
Filebeat
Copy destination.user.name to user.name. Set related.user to user.name + destination.user.name.
|
run tests |
- Add test log containing the AAA user field
- Set destination.user.name
- Copy destination.user.name to user.name.
- Set related.user to user.name + destination.user.name.
This allows logs like this to parse
%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit d6a5f17)
…pack-when-oss-changes * upstream/master: [DOCS] Add setup content to Kubernetes and Cloud Foundry docs (elastic#23580) [CI] Mandatory windows support for all the versions (elastic#23615) Add check when retrieving the worker process id using performance counters (elastic#23647) Remove 4912 evtx from testing (elastic#23669) Add missing SSL settings (elastic#23632) Update X-Pack Packetbeat config (elastic#23666) Use hostname check from verify.go to handle patterns in TLS certs (elastic#23661) Fix: Dissect Cisco ASA 302013 message usernames (elastic#21196) Add FAQ entry for MADV settings in older versions (elastic#23429) Sync fixes from Integration Package Testing (elastic#23424) [Filebeat] Add Cisco ASA message '302023' parsing (elastic#23092) [Elastic Log Driver] Change hosts config flag (elastic#23628) Audit and Authentication Policy Change Events (elastic#20684)
- Add test log containing the AAA user field
- Set destination.user.name
- Copy destination.user.name to user.name.
- Set related.user to user.name + destination.user.name.
This allows logs like this to parse
%ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit d6a5f17)
Co-authored-by: Michael Koch <mail@kochmichael.com>
Fixes ingest pipeline filebeat-7.9.1-cisco-asa-asa-ftd-pipeline to dissect messages of the following format (optional usernames):
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)\n
Currently one can only dissect this format:
Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926) to vlan-42:1.2.3.4/80 (1.2.3.4/80)\n