Add sample package that reproduces the issue

test/packages/false_positives/cisco_asa.expected_errors

@@ -0,0 +1,3 @@
+<failure>test case failed: one or more problems with fields found in documents: \[0\] parsing field value failed: field &#34;event.type&#34; value &#34;change&#34; is not one of the expected values \(access, allowed, connection, denied, end, info, protocol, start\) for any of the values of &#34;event.category&#34; \(network\)&#xA;\[1\] parsing field value failed: field &#34;event.type&#34; value &#34;deletion&#34; is not one of the expected values \(access, allowed, connection, denied, end, info, protocol, start\) for any of the values of &#34;event.category&#34; \(network\)&#xA;\[2\] parsing field value failed: field &#34;event.type&#34; value &#34;error&#34; is not one of the expected values \(access, allowed, connection, denied, end, info, protocol, start\) for any of the values of &#34;event.category&#34; \(network\)</failure>
+<failure>test case failed: one or more problems with fields found in documents: \[0\] parsing field value failed: field &#34;event.type&#34; value &#34;error&#34; is not one of the expected values \(access, allowed, connection, denied, end, info, protocol, start\) for any of the values of &#34;event.category&#34; \(network\)</failure>
+<failure>test case failed: one or more problems with fields found in documents: \[0\] parsing field value failed: field &#34;event.type&#34; value &#34;deletion&#34; is not one of the expected values \(access, allowed, connection, denied, end, info, protocol, start\) for any of the values of &#34;event.category&#34; \(network\)</failure>

test/packages/false_positives/cisco_asa/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v8.9.0

test/packages/false_positives/cisco_asa/_dev/build/docs/README.md

@@ -0,0 +1,16 @@
+# Cisco ASA Integration
+
+This integration is for Cisco ASA network device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco ASA firewall logs.
+
+## Logs
+
+### ASA
+
+The `log` dataset collects the Cisco ASA firewall logs.
+
+{{event "log"}}
+
+{{fields "log"}}

test/packages/false_positives/cisco_asa/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,23 @@
+version: "2.3"
+services:
+  cisco-logfile:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/* /var/log/"
+  cisco-asa-tls:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9515 -p=tls --insecure /sample_logs/cisco-asa.log
+  cisco-asa-tcp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/cisco-asa.log
+  cisco-asa-udp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/cisco-asa.log

test/packages/false_positives/cisco_asa/_dev/deploy/docker/sample_logs/cisco-asa.log

@@ -0,0 +1,6 @@
+Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256
+Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-302016: Teardown UDP connection 11758 for outside:192.168.80.32/53 to inside:172.31.98.44/56132 duration 0:00:00 bytes 148
+Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]
+Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-113039: Group VPN_USERS User example.user IP 67.43.156.14 AnyConnect parent session started.
+Jan  2 2020 11:33:20 localhost : %ASA-4-338204: Dynamic filter dropped greylisted TCP traffic from eth0:10.10.10.1/1234 (source.example.net/11234) to wan:172.24.177.3/80 (www.example.org/80), destination malicious address resolved from dynamic list: example.org, threat-level: high, category: malware
+Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.19.254/80 dst inside:172.31.98.44/8277 by access-group "inbound" [0x0, 0x0]

test/packages/false_positives/cisco_asa/changelog.yml

@@ -0,0 +1,299 @@
+# newer versions go on top
+- version: "2.21.0"
+  changes:
+    - description: Update package-spec to 2.10.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7595
+- version: "2.20.4"
+  changes:
+    - description: Add support for unspecified reason AAA user authenticaton rejection.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7604
+- version: "2.20.3"
+  changes:
+    - description: Add missing geo field mappings
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7264
+- version: "2.20.2"
+  changes:
+    - description: Fix the processing of event 313005 when ports are missing.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7254
+    - description: Collect network.transport for events 722033 and 722034.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7254
+- version: "2.20.1"
+  changes:
+    - description: Fix the handling of spaces in 113005 messages.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7216
+- version: "2.20.0"
+  changes:
+    - description: Update package to ECS 8.9.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7107
+- version: "2.19.0"
+  changes:
+    - description: Convert dashboard to lens.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/6797
+- version: "2.18.0"
+  changes:
+    - description: Ensure event.kind is correctly set for pipeline errors.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/6600
+- version: "2.17.1"
+  changes:
+    - description: Fix VPN event.action
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/6423
+- version: "2.17.0"
+  changes:
+    - description: Update package to ECS 8.8.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/6325
+- version: "2.16.0"
+  changes:
+    - description: Support 722011, 722033 and 722034 messages.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5967
+    - description: Fix handling of 722037 and 722051 messages.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/5967
+- version: "2.15.0"
+  changes:
+    - description: Update package to ECS 8.7.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5765
+- version: "2.14.1"
+  changes:
+    - description: Added categories and/or subcategories.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5123
+- version: "2.14.0"
+  changes:
+    - description: Allow retention of a searchable log message.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5393
+- version: "2.13.2"
+  changes:
+    - description: Support additional patterns in 113012, 113004, and 716039 messages
+      type: bugfix
+      link: https://github.com/elastic/integrations/issues/5443
+- version: "2.13.1"
+  changes:
+    - description: Remove `ignore_failure` causing performance bottleneck
+      type: bugfix
+      link: https://github.com/elastic/integrations/issues/5349
+- version: "2.13.0"
+  changes:
+    - description: Allow configuration of time zones.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5139
+- version: "2.12.1"
+  changes:
+    - description: Interchange source, destination for messages 302013 & 302015 as per Cisco doc
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/5004
+- version: "2.12.0"
+  changes:
+    - description: Update package to ECS 8.6.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4576
+- version: "2.11.0"
+  changes:
+    - description: Add `udp_options` to the UDP input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4863
+- version: "2.10.1"
+  changes:
+    - description: Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4516
+- version: "2.10.0"
+  changes:
+    - description: Allow configuration of internal/external zones
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4579
+- version: "2.9.0"
+  changes:
+    - description: Update package to ECS 8.5.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4285
+- version: "2.8.0"
+  changes:
+    - description: Harmonise with pipeline with Cisco FTD.
+      type: enhancement
+      link: https://github.com/elastic/integrations/issues/4380
+- version: "2.7.7"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4400
+- version: "2.7.6"
+  changes:
+    - description: Remove duplicate field.
+      type: bugfix
+      link: https://github.com/elastic/integrations/issues/4327
+- version: "2.7.5"
+  changes:
+    - description: Fix handling of 302020 event messages.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4209
+- version: "2.7.4"
+  changes:
+    - description: Use ECS geo.location definition.
+      type: enhancement
+      link: https://github.com/elastic/integrations/issues/4227
+- version: "2.7.3"
+  changes:
+    - description: Fix handling of non-canonical 113005 messages.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4189
+- version: "2.7.2"
+  changes:
+    - description: Clean up grok pattern naming.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4163
+- version: "2.7.1"
+  changes:
+    - description: Fix handling of some non-canonical log formats.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3943
+- version: "2.7.0"
+  changes:
+    - description: Add handling of AAA operations.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3740
+- version: "2.6.0"
+  changes:
+    - description: Update package to ECS 8.4.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3842
+- version: "2.5.2"
+  changes:
+    - description: Improve TCP, SSL config description and example.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3763
+- version: "2.5.1"
+  changes:
+    - description: Fix handling of user parsing when SGT fields are present.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3650
+    - description: Fix handling of user parsing for 302013 and 302015 events.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3650
+- version: "2.5.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "2.4.2"
+  changes:
+    - description: Map syslog priority details according to ECS
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3549
+    - description: Extract syslog facility and severity codes from syslog priority
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3549
+- version: "2.4.1"
+  changes:
+    - description: Ensure invalid event.outcome does not get recorded in event
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3354
+- version: "2.4.0"
+  changes:
+    - description: Add TCP input with TLS support
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3312
+- version: "2.3.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2778
+- version: "2.2.2"
+  changes:
+    - description: Change visualizations to use event.code instead of cisco.asa.message_id.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3146
+- version: "2.2.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "2.2.0"
+  changes:
+    - description: Add community_id processor, update 805001, 304001, 106023 and 602304 message parsing. elastic/beats#26879
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2820
+    - description: Add user.name field to ASA Security negotiation log line. elastic/beats#26975
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2820
+    - description: Change event.outcome and event.type handling to be more ECS compliant. elastic/beats#29698
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2820
+- version: "2.1.0"
+  changes:
+    - description: Add parsing for event code 113029-113040
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2535
+- version: "2.0.1"
+  changes:
+    - description: Clarify configuration option documentation
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2649
+- version: "2.0.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2389
+- version: "1.3.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "1.3.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2236
+- version: "1.2.2"
+  changes:
+    - description: Update Title and Description.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1952
+- version: "1.2.1"
+  changes:
+    - description: Relax time parsing and capture group and session type in Cisco ASA module
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1891
+- version: "1.2.0"
+  changes:
+    - description: Add support for Cisco ASA SIP events
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1865
+- version: "1.1.1"
+  changes:
+    - description: Fix logic that checks for the 'forwarded' tag
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1805
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 1.12.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1782
+- version: "1.0.1"
+  changes:
+    - description: Adding missing ECS fields
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1732
+- version: "1.0.0"
+  changes:
+    - description: Split Cisco ASA into its own package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1583