Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cisco_ftd: support additional patterns for 113012, 113004, and 716039 message ids #6142

Merged
merged 1 commit into from
May 10, 2023
Merged

cisco_ftd: support additional patterns for 113012, 113004, and 716039 message ids #6142

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cisco_ftd/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.10.2"
changes:
- description: Support additional patterns in 113012, 113004, and 716039 messages
type: bugfix
link: https://github.com/elastic/integrations/issues/6142
- version: "2.10.1"
changes:
- description: Convert source.bytes and destination.bytes to integer
Expand Down
5 changes: 4 additions & 1 deletion packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,7 @@ Jan 14 2015 13:16:14: %FTD-4-338008: Dynamic Filter dropped blacklisted TCP traf
Nov 16 2009 14:12:35: %FTD-5-304001: 10.30.30.30 Accessed URL 192.168.2.1:/app
Nov 16 2009 14:12:36: %FTD-5-304001: 10.5.111.32 Accessed URL 192.168.2.32:http://example.com
Nov 16 2009 14:12:37: %FTD-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.168.0.19 on interface inside
Nov 01 16:42:22 UTC: %FTD-session-6-302013: Built inbound TCP connection 1488052803 for intranet:192.168.22.10/59864 (192.168.22.10/59864) to internet:216.160.83.56/1433 (216.160.83.56/1433)
Nov 01 16:42:22 UTC: %FTD-session-6-302013: Built inbound TCP connection 1488052803 for intranet:192.168.22.10/59864 (192.168.22.10/59864) to internet:216.160.83.56/1433 (216.160.83.56/1433)
<190>Mar 03 2023 09:01:16 sac-firewall : %FDT-6-113004: AAA user accounting Successful : server = 192.168.0.8 : user = sample-user
<190>Mar 03 2023 08:50:32 sac-firewall : %FDT-6-113012: AAA user authentication Successful : local database : user = sample.user
<190>Mar 03 2023 09:13:09 sac-firewall : %FDT-6-716039: Group <DfltGrpPolicy> User <*****> IP <192.168.0.8> Authentication: rejected, Session Type: WebVPN.
181 changes: 181 additions & 0 deletions packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5210,6 +5210,187 @@
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-03-03T09:01:16.000Z",
"cisco": {
"ftd": {
"aaa_type": "accounting"
}
},
"destination": {
"address": "192.168.0.8",
"ip": "192.168.0.8"
},
"ecs": {
"version": "8.7.0"
},
"event": {
"action": "logged-in",
"code": "113004",
"original": "\u003c190\u003eMar 03 2023 09:01:16 sac-firewall : %FDT-6-113004: AAA user accounting Successful : server = 192.168.0.8 : user = sample-user",
"outcome": "success",
"severity": 6,
"timezone": "UTC"
},
"host": {
"hostname": "sac-firewall"
},
"log": {
"level": "informational",
"syslog": {
"facility": {
"code": 23
},
"priority": 190,
"severity": {
"code": 6
}
}
},
"observer": {
"hostname": "sac-firewall",
"product": "ftd",
"type": "idps",
"vendor": "Cisco"
},
"related": {
"hosts": [
"sac-firewall"
],
"ip": [
"192.168.0.8"
],
"user": [
"sample-user"
]
},
"source": {
"user": {
"name": "sample-user"
}
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-03-03T08:50:32.000Z",
"cisco": {
"ftd": {}
},
"ecs": {
"version": "8.7.0"
},
"event": {
"action": "logged-in",
"code": "113012",
"original": "\u003c190\u003eMar 03 2023 08:50:32 sac-firewall : %FDT-6-113012: AAA user authentication Successful : local database : user = sample.user",
"outcome": "success",
"severity": 6,
"timezone": "UTC"
},
"host": {
"hostname": "sac-firewall"
},
"log": {
"level": "informational",
"syslog": {
"facility": {
"code": 23
},
"priority": 190,
"severity": {
"code": 6
}
}
},
"observer": {
"hostname": "sac-firewall",
"product": "ftd",
"type": "idps",
"vendor": "Cisco"
},
"related": {
"hosts": [
"sac-firewall"
],
"user": [
"sample.user"
]
},
"source": {
"user": {
"name": "sample.user"
}
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-03-03T09:13:09.000Z",
"cisco": {
"ftd": {
"session_type": "WebVPN"
}
},
"ecs": {
"version": "8.7.0"
},
"event": {
"action": "logon-failed",
"code": "716039",
"original": "\u003c190\u003eMar 03 2023 09:13:09 sac-firewall : %FDT-6-716039: Group \u003cDfltGrpPolicy\u003e User \u003c*****\u003e IP \u003c192.168.0.8\u003e Authentication: rejected, Session Type: WebVPN.",
"outcome": "failure",
"severity": 6,
"timezone": "UTC"
},
"host": {
"hostname": "sac-firewall"
},
"log": {
"level": "informational",
"syslog": {
"facility": {
"code": 23
},
"priority": 190,
"severity": {
"code": 6
}
}
},
"observer": {
"hostname": "sac-firewall",
"product": "ftd",
"type": "idps",
"vendor": "Cisco"
},
"related": {
"hosts": [
"sac-firewall"
],
"ip": [
"192.168.0.8"
],
"user": [
"*****"
]
},
"source": {
"address": "192.168.0.8",
"ip": "192.168.0.8",
"user": {
"group": {
"name": "DfltGrpPolicy"
},
"name": "*****"
}
},
"tags": [
"preserve_original_event"
]
}
]
}
17 changes: 12 additions & 5 deletions packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,11 +343,14 @@ processors:
description: "111010"
patterns:
- "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}"
- dissect:
- grok:
if: "ctx._temp_.cisco.message_id == '113004'"
field: "message"
description: "113004"
pattern: "AAA user %{_temp_.cisco.aaa_type} Successful: server = %{destination.address} , User = %{source.user.name}"
patterns:
- "AAA user %{DATA:_temp_.cisco.aaa_type} Successful(%{SPACE})?: server =(%{SPACE}+)?%{IP:destination.address} [:,] [Uu]ser = %{CISCO_USER:source.user.name}"
pattern_definitions:
CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
- grok:
if: "ctx._temp_.cisco.message_id == '113005'"
description: "113005"
Expand All @@ -357,11 +360,14 @@ processors:
pattern_definitions:
REASON: (AAA failure|Account has been disabled)
CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
- dissect:
- grok:
if: "ctx._temp_.cisco.message_id == '113012'"
field: "message"
description: "113012"
pattern: "AAA user authentication Successful: local database: user = %{source.user.name}"
patterns:
- "AAA user authentication Successful(%{SPACE})?: local database(%{SPACE})?: [Uu]ser = %{CISCO_USER:source.user.name}"
pattern_definitions:
CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
- dissect:
if: "ctx._temp_.cisco.message_id == '113019'"
field: "message"
Expand Down Expand Up @@ -819,12 +825,13 @@ processors:
if: "ctx._temp_.cisco.message_id == '713202'"
field: "message"
pattern: "IP = %{source.address}, %{event.reason}. %{} packet."
# Support masked user
- grok:
if: "ctx._temp_.cisco.message_id == '716039'"
field: "message"
patterns:
- "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}"
- "Group <%{NOTSPACE:source.user.group.name}> User <%{USER:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\."
- "Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\."
- dissect:
if: "ctx._temp_.cisco.message_id == '750003'"
field: "message"
Expand Down
2 changes: 2 additions & 0 deletions packages/cisco_ftd/data_stream/log/fields/ecs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,8 @@
name: source.port
- external: ecs
name: source.user.name
- external: ecs
name: source.user.group.name
- external: ecs
name: tags
- external: ecs
Expand Down
9 changes: 9 additions & 0 deletions packages/cisco_ftd/data_stream/log/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,19 @@
type: short
description: |
ICMP code.
- name: aaa_type
type: keyword
description: >
The AAA operation type. One of authentication, authorization, or accounting.
- name: connection_type
type: keyword
description: |
The VPN connection type
- name: session_type
type: keyword
default_field: false
description: >
Session type (for example, IPsec or UDP).
- name: dap_records
type: keyword
description: |
Expand Down
3 changes: 3 additions & 0 deletions packages/cisco_ftd/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,7 @@ An example event for `log` looks as following:
| Field | Description | Type |
|---|---|---|
| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
| cisco.ftd.aaa_type | The AAA operation type. One of authentication, authorization, or accounting. | keyword |
| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip |
| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword |
| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword |
Expand Down Expand Up @@ -203,6 +204,7 @@ An example event for `log` looks as following:
| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword |
| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword |
| cisco.ftd.security | Cisco FTD security event fields. | flattened |
| cisco.ftd.session_type | Session type (for example, IPsec or UDP). | keyword |
| cisco.ftd.source_interface | Source interface for the flow or event. | keyword |
| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword |
| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword |
Expand Down Expand Up @@ -368,6 +370,7 @@ An example event for `log` looks as following:
| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
| source.packets | Packets sent from the source to the destination. | long |
| source.port | Port of the source. | long |
| source.user.group.name | Name of the group. | keyword |
| source.user.name | Short name or login of the user. | keyword |
| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
| tags | List of keywords used to tag each event. | keyword |
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_ftd/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 1.0.0
name: cisco_ftd
title: Cisco FTD
version: "2.10.1"
version: "2.10.2"
license: basic
description: Collect logs from Cisco FTD with Elastic Agent.
type: integration
Expand Down