Skip to content

Commit

Permalink
x-pack/filebeat/module/cisco/asa: add handling of AAA operations and …
Browse files Browse the repository at this point in the history
…non-canonical log formats (#32789)

This reflects changes in the cisco_asa package added in v2.7.0 and v2.7.1.
  • Loading branch information
efd6 authored Aug 25, 2022
1 parent 1745f89 commit c81abb5
Show file tree
Hide file tree
Showing 6 changed files with 1,329 additions and 8 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]

*Filebeat*

- Add handling of AAA operations for Cisco ASA module. {issue}32257[32257] {pull}32789[32789]

*Heartbeat*

Expand Down
9 changes: 9 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/additional_messages.log
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,12 @@ May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current
May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018
May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466
May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054
May 5 19:02:25 dev01: %ASA-6-113004: AAA user authentication Successful: server = 81.2.69.144 , User = alice
May 5 19:02:25 dev01: %ASA-6-113004: AAA user authorization Successful: server = 81.2.69.144 , User = alice
May 5 19:02:25 dev01: %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = 81.2.69.144 : user = *****: user IP = 172.31.98.44
May 5 19:02:25 dev01: %ASA-6-113012: AAA user authentication Successful: local database: user = alice
May 5 19:02:25 dev01: %ASA-3-113021: Attempted console login failed. User eve did NOT have appropriate Admin Rights.
May 5 19:02:25 dev01: %ASA-6-716039: Authentication: rejected, group = malcorp user = eve , Session Type: admin
May 5 19:02:25 dev01: %ASA-6-716039: Authentication: rejected, group = malcorp user = malory , Session Type: WebVPN
May 5 19:02:25 dev01: %ASA-6-716039: Group <malcorp> User <eve> IP <172.31.98.44> Authentication: rejected, Session Type: Admin.
May 5 19:02:25 dev01: %ASA-6-716039: Group <malcorp> User <malory> IP <172.31.98.44> Authentication: rejected, Session Type: WebVPN.
Original file line number Diff line number Diff line change
Expand Up @@ -4593,5 +4593,243 @@
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113004",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113004,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113004: AAA user authentication Successful: server = 81.2.69.144 , User = alice",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 13920,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113004",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113004,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113004: AAA user authorization Successful: server = 81.2.69.144 , User = alice",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14030,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113005",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113005,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = 81.2.69.144 : user = *****: user IP = 172.31.98.44",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14139,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113012",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113012,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113012: AAA user authentication Successful: local database: user = alice",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14293,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113021",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113021,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-3-113021: Attempted console login failed. User eve did NOT have appropriate Admin Rights.",
"event.severity": 3,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "error",
"log.offset": 14396,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "716039",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 716039,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-716039: Authentication: rejected, group = malcorp user = eve , Session Type: admin",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14514,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "716039",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 716039,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-716039: Authentication: rejected, group = malcorp user = malory , Session Type: WebVPN",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14627,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
}
]
19 changes: 19 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/non-canonical.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Jul 15 13:38:14 216.160.83.56 : %ASA-6-302013: Built inbound TCP connection 3263493120 for DMZ:shule/5802 (shule/5802) to SERVERS:10.10.227.121/80 (10.10.227.121/80)
Jul 15 13:38:11 216.160.83.56 : %ASA-6-302013: Built outbound TCP connection 3263492189 for MG:exp_srv/10050 (exp_srv/10050) to SERVERS:10.10.227.170/46145 (10.10.224.1/46145)
Jul 15 13:38:08 81.2.69.142 %ASA-6-302015: Built outbound UDP connection 743108828 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/48347 (89.160.20.128/48347)
Jul 15 13:38:03 81.2.69.142 %ASA-6-302015: Built outbound UDP connection 743108738 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/55653 (81.2.69.192/55653)
Jul 15 13:36:59 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 10.12.227.40/389 to exp-angle/54703 flags RST on interface SH_INFRA_MGT
Jul 15 13:36:39 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 89.160.20.128/56594 to sh-mailgw1/25 flags FIN ACK on interface outside
Jul 15 13:38:47 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/62409 to outside:81.2.69.142/62409 duration 0:00:41
Jul 15 13:37:33 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/56421 to outside:81.2.69.142/56421 duration 0:00:30
Jul 15 13:39:04 216.160.83.56 : %ASA-6-305011: Built dynamic TCP translation from SERVERS:exp-srv/50578 to outside:81.2.69.142/50578
Jul 15 13:37:02 216.160.83.56 : %ASA-6-305011: Built dynamic UDP translation from SERVERS:exp-wait/56570 to outside:81.2.69.142/56570
Jul 15 13:18:06 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/64593 dst SH_OSS:89.160.20.128/2511 by access-group "MGT_access_in" [0x0, 0x0]
Jul 15 01:18:01 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/63513 dst SH_OSS:89.160.20.128/2511 by access-group "MGT_access_in" [0x0, 0x0]
Jul 15 13:30:09 81.2.69.142 %ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 14 01:45:09 81.2.69.142 %ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 15 13:30:09 81.2.69.142 %ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 14 01:45:09 81.2.69.142 %ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 15 12:18:51 81.2.69.192 %ASA-6-113039: Group <novpn> User <nt\minsk> IP <216.160.83.56> AnyConnect parent session started.
Jul 1 09:27:13 216.160.83.56 : %ASA-6-113039: Group <Group_VPN> User <support\column> IP <81.2.69.192> AnyConnect parent session started.
Jun 14 01:22:47 81.2.69.142 %ASA-5-304001: 192.168.14.22 Accessed URL mirror:http://mirror.example.com/path/to/resource
Loading

0 comments on commit c81abb5

Please sign in to comment.