Skip to content

Commit

Permalink
cisco_asa: add support for unspecified reason AAA user authentication…
Browse files Browse the repository at this point in the history 
… rejection (#7604)
  • Loading branch information
@efd6 @gizas
efd6 authored and gizas committed Sep 5, 2023
1 parent e1b3e6e commit 330e310
Show file tree
Hide file tree
Showing 5 changed files with 78 additions and 2 deletions.
5 changes: 5 additions & 0 deletions packages/cisco_asa/changelog.yml
View file
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.20.4"
changes:
- description: Add support for unspecified reason AAA user authenticaton rejection.
type: bugfix
link: https://github.com/elastic/integrations/pull/7604
- version: "2.20.3"
changes:
- description: Add missing geo field mappings
Expand Down
1 change: 1 addition & 0 deletions packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log
View file
Expand Up @@ -106,3 +106,4 @@ May 5 19:02:25 dev01: %ASA-6-716039: Group <malcorp> User <malory> IP <172.31.9
<190>Mar 03 2023 09:01:16 sac-firewall : %ASA-6-113004: AAA user accounting Successful : server = 192.168.0.8 : user = sample-user
<190>Mar 03 2023 08:50:32 sac-firewall : %ASA-6-113012: AAA user authentication Successful : local database : user = sample.user
<190>Mar 03 2023 09:13:09 sac-firewall : %ASA-6-716039: Group <DfltGrpPolicy> User <*****> IP <192.168.0.8> Authentication: rejected, Session Type: WebVPN.
<166>Aug 28 2023 15:35:00 fw123-vc456 : %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.1.2.0 : user = user : user IP = 10.1.2.3
70 changes: 70 additions & 0 deletions ...s/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json
View file
Expand Up @@ -7391,6 +7391,76 @@
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-08-28T15:35:00.000Z",
"destination": {
"address": "10.1.2.0",
"ip": "10.1.2.0"
},
"ecs": {
"version": "8.9.0"
},
"event": {
"action": "logon-failed",
"category": [
"authentication",
"network"
],
"code": "113005",
"kind": "event",
"original": "\u003c166\u003eAug 28 2023 15:35:00 fw123-vc456 : %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.1.2.0 : user = user : user IP = 10.1.2.3",
"outcome": "failure",
"severity": 6,
"timezone": "UTC",
"type": [
"denied",
"info"
]
},
"host": {
"hostname": "fw123-vc456"
},
"log": {
"level": "informational",
"syslog": {
"facility": {
"code": 20
},
"priority": 166,
"severity": {
"code": 6
}
}
},
"observer": {
"hostname": "fw123-vc456",
"product": "asa",
"type": "firewall",
"vendor": "Cisco"
},
"related": {
"hosts": [
"fw123-vc456"
],
"ip": [
"10.1.2.3",
"10.1.2.0"
],
"user": [
"user"
]
},
"source": {
"address": "10.1.2.3",
"ip": "10.1.2.3",
"user": {
"name": "user"
}
},
"tags": [
"preserve_original_event"
]
}
]
}
2 changes: 1 addition & 1 deletion packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Expand Up @@ -455,7 +455,7 @@ processors:
patterns:
- "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?%{CISCO_USER:source.user.name}(%{SPACE})?: user IP = %{IP:source.address}"
pattern_definitions:
REASON: (AAA failure|Account has been disabled)
REASON: (AAA failure|Account has been disabled|Unspecified)
CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
- grok:
if: "ctx._temp_.cisco.message_id == '113012'"
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_asa/manifest.yml
View file
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: cisco_asa
title: Cisco ASA
version: "2.20.3"
version: "2.20.4"
license: basic
description: Collect logs from Cisco ASA with Elastic Agent.
type: integration
Expand Down

0 comments on commit 330e310

Please sign in to comment.