New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cisco ASA] Support patterns with SGT tag:name as username #8205
Conversation
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
🌐 Coverage report
|
Package cisco_asa - 2.26.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa |
2 similar comments
Package cisco_asa - 2.26.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa |
Package cisco_asa - 2.26.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa |
Proposed commit message
When using Cisco ASA with the SXP protocol and SGT-tags to write firewall rules, the format of the
idfw_user
is presented in their logs asSGT-tag:SGT-name
. Multiple message_id are now required to support this change.Sample log:
<140>Oct 06 2023 09:22:19 myAsaHostname : %ASA-4-106023: Deny tcp src outside:192.168.2.2/51982(9999:my_SgtName) dst inside:192.168.2.3/443 by access-group \"outside_access_in\" [0x2a9e189a, 0x0]
which will fail with existing GROK patterns as(9999:my_SgtName)
is not handled.Fixed by updating
CISCO_USER
pattern in each of these messages to supportSGT-tag:SGT-name
Checklist
changelog.yml
file.Related issues
Screenshots