From f0886178fbe8e99a2a81e09be0f5abed37719fba Mon Sep 17 00:00:00 2001 From: xtruthx Date: Wed, 9 Oct 2024 21:34:48 +0200 Subject: [PATCH] [cisco_asa] Add source/destination.address to events with message ID 7250xx (#11292) - Add source/destination.address to message IDs 725001, 725002, 725007, and 725016. --------- Co-authored-by: Andrew Kroh Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com> --- packages/cisco_asa/changelog.yml | 5 +++++ .../test-additional-messages.log-expected.json | 13 +++++++++++++ .../log/elasticsearch/ingest_pipeline/default.yml | 10 +++++----- packages/cisco_asa/manifest.yml | 2 +- 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index 6e3aed04ab3..5d9f08d1e66 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.38.0" + changes: + - description: Introduce destination.address to message IDs 725001, 725002, 725007, and 725016. + type: enhancement + link: https://github.com/elastic/integrations/pull/11292 - version: "2.37.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index 7eb42767e19..ef644893569 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -9442,6 +9442,7 @@ } }, "destination": { + "address": "10.20.0.1", "ip": "10.20.0.1", "port": 443 }, @@ -9499,6 +9500,7 @@ ] }, "source": { + "address": "172.16.0.1", "ip": "172.16.0.1", "port": 1133 }, @@ -9571,6 +9573,7 @@ ] }, "source": { + "address": "172.16.0.1", "ip": "172.16.0.1", "port": 1133 }, @@ -9591,6 +9594,7 @@ } }, "destination": { + "address": "172.16.0.1", "ip": "172.16.0.1", "port": 443 }, @@ -9641,6 +9645,7 @@ ] }, "source": { + "address": "10.20.0.1", "ip": "10.20.0.1", "port": 57700 }, @@ -9660,6 +9665,7 @@ } }, "destination": { + "address": "10.20.0.1", "ip": "10.20.0.1", "port": 443 }, @@ -9717,6 +9723,7 @@ ] }, "source": { + "address": "172.16.0.1", "ip": "172.16.0.1", "port": 1133 }, @@ -9737,6 +9744,7 @@ } }, "destination": { + "address": "10.20.0.1", "ip": "10.20.0.1", "port": 443 }, @@ -9794,6 +9802,7 @@ ] }, "source": { + "address": "172.16.0.1", "ip": "172.16.0.1", "port": 1133 }, @@ -9810,6 +9819,7 @@ } }, "destination": { + "address": "10.20.0.1", "ip": "10.20.0.1", "port": 443 }, @@ -9860,6 +9870,7 @@ ] }, "source": { + "address": "172.16.0.1", "ip": "172.16.0.1", "port": 49243 }, @@ -9877,6 +9888,7 @@ } }, "destination": { + "address": "10.20.0.1", "ip": "10.20.0.1", "port": 443 }, @@ -9934,6 +9946,7 @@ ] }, "source": { + "address": "172.16.0.1", "ip": "172.16.0.1", "port": 1133 }, diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 100579a3557..bb459c9cac3 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1001,26 +1001,26 @@ processors: if: "ctx._temp_.cisco.message_id == '725001'" tag: parse_725001 patterns: - - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version} session' - - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} for %{NOTSPACE:_temp_.cisco.tls_version} session' + - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.address}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version} session' + - '^Starting SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{NOTSPACE:source.port} for %{NOTSPACE:_temp_.cisco.tls_version} session' - grok: field: message if: "ctx._temp_.cisco.message_id == '725002'" tag: parse_725002 patterns: - - '^Device completed SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version}' + - '^Device completed SSL handshake with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.address}/%{NOTSPACE:destination.port} for %{NOTSPACE:_temp_.cisco.tls_version}' - grok: field: message if: "ctx._temp_.cisco.message_id == '725007'" tag: parse_725007 patterns: - - '^SSL session with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port} terminated' + - '^SSL session with %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.address}/%{NOTSPACE:destination.port} terminated' - grok: field: message if: "ctx._temp_.cisco.message_id == '725016'" tag: parse_725016 patterns: - - '^Device selects trust-point %{DATA:_temp_.cisco.trustpoint} for %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.ip}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.ip}/%{NOTSPACE:destination.port}$' + - '^Device selects trust-point %{DATA:_temp_.cisco.trustpoint} for %{NOTSPACE:_temp_.cisco.peer_type} %{DATA:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{NOTSPACE:source.port} to %{NOTSPACE:destination.address}/%{NOTSPACE:destination.port}$' - grok: if: "ctx._temp_.cisco.message_id == '733100'" tag: parse_733100 diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 7d585ffc717..6ad0a4f5eb1 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_asa title: Cisco ASA -version: "2.37.0" +version: "2.38.0" description: Collect logs from Cisco ASA with Elastic Agent. type: integration categories: