[Cisco Asa] Adds two new grok patterns to the 737026 message parser to handle cases where the pool name is absent (message ends with 'from local pool' without a name).

[haetamoudi]

Suggested label: Enhancement (pick the matching GitHub label)

Proposed commit message

Squash subject line (from Sentinel / primary PR):

[Cisco Asa] Adds two new grok patterns to the 737026 message parser to handle cases where the pool name is absent (message ends with 'from local pool' without a name).

Executive summary

Adds two new grok patterns to the 737026 message parser to handle cases where the pool name is absent (message ends with 'from local pool' without a name). Previously, only patterns requiring a pool name were present, causing parse failures when Cisco ASA emits messages without a pool name. Two corresponding test log lines and expected JSON outputs were added to validate the fix.

Root cause

The parse_737026 grok processor's two patterns both require a non-space pool_name token after 'from local pool', but Cisco ASA can emit 737026 messages that end at 'from local pool' with no pool name, leaving the patterns unable to match and causing a pipeline error.

Approach

Add two additional grok patterns to the parse_737026 processor to handle 737026 messages that terminate after 'from local pool' without providing a pool name. The new patterns mirror the existing ones (with and without Session= prefix) but omit the mandatory pool_name capture group at the end. Add corresponding test cases (one with session_id and no pool_name, one with neither) to the existing test-additional-messages fixture.

Pipeline changes

• In the parse_737026 grok processor (default.yml ~line 1145), add pattern: '^IPAA: Session=%{NOTSPACE:temp.cisco.session_id}, Client assigned %{NOTSPACE:temp.cisco.pool_address} from local pool$'
• In the parse_737026 grok processor (default.yml ~line 1145), add pattern: '^IPAA: Client assigned %{NOTSPACE:temp.cisco.pool_address} from local pool$'

Field / mapping changes

—

Sanitized error message

Processor 'grok' with tag 'parse_737026' in pipeline 'logs-cisco_asa.log-default' failed with message 'Provided Grok expressions do not match field value: [IPAA: Session=0x89abcdef, Client assigned 198.51.100.10 from local pool]'

Sanitized log (event_sanitized excerpt)

<166>%ASA-6-737026: IPAA: Session=0x89abcdef, Client assigned 198.51.100.10 from local pool

Risk and classification

• Plan risk level: low
• Tags: pipeline, processors, test-fixture, ingest
• Impact: medium

Links

• Issue: (no issue number)
• Issue title: cisco_asa.log [MISSING_CASE]: Processor 'grok' with tag 'parse_737026' in pipeline 'logs-cisco_asa.log…
• Pipeline case: 7420caee45832f50 (Integration Sentinel)

---

This pull request was opened from the Integration Sentinel agent fix flow.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Add two new log lines to test-additional-messages.log (Session= with no pool_name; no Session= with no pool_name) and their corresponding expected JSON entries. Run 'elastic-package test pipeline -v' for cisco_asa to confirm all 737026 variants pass, including the two pre-existing cases with pool_name.
From a checkout of this branch:

cd packages/cisco_asa
elastic-package test

Screenshots

None attached from Sentinel — add if applicable.

[infra-vault-gh-plugin-prod]

Pinging @elastic/integration-experience (Team:Integration-Experience)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package cisco_asa 👍(0) 💚(0) 💔(1)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
log	1170.96	836.82	-334.14 (-28.54%)	💔

To see the full report comment with /test benchmark fullreport

[github-actions]

TL;DR

Buildkite failed before tests ran because the PR branch does not merge cleanly with main (packages/cisco_asa/changelog.yml conflict). Rebase/merge main and resolve the changelog entry conflict, then re-run CI.

Remediation

• Rebase the PR branch onto the latest main (or merge main) and resolve packages/cisco_asa/changelog.yml by keeping both changes as separate version entries (the current conflict is both sides defining 2.45.2 differently).
• After resolving, push the updated branch and re-run Buildkite to confirm the pipeline upload step succeeds and downstream jobs start.

Investigation details

Root Cause

This is a configuration/integration-branch state failure (not a test/runtime failure): the Buildkite checkout hook attempts to create a PR merge branch and fails on a content conflict.

• Buildkite log shows merge failure at packages/cisco_asa/changelog.yml:
  • CONFLICT (content): Merge conflict in packages/cisco_asa/changelog.yml
  • Automatic merge failed; fix conflicts and then commit the result.
• The top of packages/cisco_asa/changelog.yml differs between PR and main at the same version key:
  • PR branch (pr-19116) line 2-6: 2.45.2 = "Fix parsing of 737026 messages..." (PR [Cisco Asa] Adds two new grok patterns to the 737026 message parser to handle cases where the pool name is absent (message ends with 'from local pool' without a name). #19116)
  • main line 2-6: 2.45.2 = "Added missing grok pattern variant for ASA 725002..." (PR [Cisco Asa] Adds a second grok pattern variant for ASA message 725002 to handle the client-only SSL handshake format where the destination address and TLS version are absent. #19113)

Because both edits target the same top changelog block/version, Buildkite cannot auto-merge the PR branch during the pipeline upload phase.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/43313
• Job/step: :pipeline::arrow_up: Upload Pipeline: .buildkite/pipeline.yml
• Key log excerpt:
  • CONFLICT (content): Merge conflict in packages/cisco_asa/changelog.yml
  • Merge failed: 1
  • Error: running "repository post-checkout" shell hook

Verification

• Not run: package tests/build steps (pipeline stopped during pre-build merge stage).

Follow-up

• If you want to keep semantic version ordering strict, bump one of the entries (for example, move your PR entry to the next patch version) while resolving the conflict.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• [Cisco Asa] Adds two new grok patterns to the 737026 message parser to handle cases where the pool name is absent (message ends with 'from local pool' without a name). #19116 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #19116 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[bhapas]

LGTM

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: f0fdac0

History

• 💚 Build #43451 succeeded d5a09af
• 💚 Build #43324 succeeded 75caa96
• 💔 Build #43313 failed d666ff4
• 💚 Build #43227 succeeded 53e1862

[elastic-vault-github-plugin-prod]

Package cisco_asa - 2.45.5 containing this change is available at https://epr.elastic.co/package/cisco_asa/2.45.5/