Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x-pack/filebeat/module/cisco/asa: add handling of AAA operations and non-canonical log formats #32789

Merged
merged 1 commit into from
Aug 25, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]

*Filebeat*

- Add handling of AAA operations for Cisco ASA module. {issue}32257[32257] {pull}32789[32789]

*Heartbeat*

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,12 @@ May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current
May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018
May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466
May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054
May 5 19:02:25 dev01: %ASA-6-113004: AAA user authentication Successful: server = 81.2.69.144 , User = alice
May 5 19:02:25 dev01: %ASA-6-113004: AAA user authorization Successful: server = 81.2.69.144 , User = alice
May 5 19:02:25 dev01: %ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = 81.2.69.144 : user = *****: user IP = 172.31.98.44
May 5 19:02:25 dev01: %ASA-6-113012: AAA user authentication Successful: local database: user = alice
May 5 19:02:25 dev01: %ASA-3-113021: Attempted console login failed. User eve did NOT have appropriate Admin Rights.
May 5 19:02:25 dev01: %ASA-6-716039: Authentication: rejected, group = malcorp user = eve , Session Type: admin
May 5 19:02:25 dev01: %ASA-6-716039: Authentication: rejected, group = malcorp user = malory , Session Type: WebVPN
May 5 19:02:25 dev01: %ASA-6-716039: Group <malcorp> User <eve> IP <172.31.98.44> Authentication: rejected, Session Type: Admin.
May 5 19:02:25 dev01: %ASA-6-716039: Group <malcorp> User <malory> IP <172.31.98.44> Authentication: rejected, Session Type: WebVPN.
Original file line number Diff line number Diff line change
Expand Up @@ -4593,5 +4593,243 @@
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113004",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113004,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113004: AAA user authentication Successful: server = 81.2.69.144 , User = alice",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 13920,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113004",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113004,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113004: AAA user authorization Successful: server = 81.2.69.144 , User = alice",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14030,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113005",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113005,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113005: AAA user authentication Rejected: reason = AAA failure: server = 81.2.69.144 : user = *****: user IP = 172.31.98.44",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14139,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113012",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113012,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-113012: AAA user authentication Successful: local database: user = alice",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14293,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "113021",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 113021,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-3-113021: Attempted console login failed. User eve did NOT have appropriate Admin Rights.",
"event.severity": 3,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "error",
"log.offset": 14396,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "716039",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 716039,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-716039: Authentication: rejected, group = malcorp user = eve , Session Type: admin",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14514,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
},
{
"cisco.asa.message_id": "716039",
"event.action": "firewall-rule",
"event.category": [
"network"
],
"event.code": 716039,
"event.dataset": "cisco.asa",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-716039: Authentication: rejected, group = malcorp user = malory , Session Type: WebVPN",
"event.severity": 6,
"event.timezone": "-02:00",
"event.type": [
"info"
],
"fileset.name": "asa",
"host.hostname": "dev01",
"input.type": "log",
"log.level": "informational",
"log.offset": 14627,
"observer.hostname": "dev01",
"observer.product": "asa",
"observer.type": "firewall",
"observer.vendor": "Cisco",
"related.hosts": [
"dev01"
],
"service.type": "cisco",
"tags": [
"cisco-asa",
"forwarded"
]
}
]
19 changes: 19 additions & 0 deletions x-pack/filebeat/module/cisco/asa/test/non-canonical.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Jul 15 13:38:14 216.160.83.56 : %ASA-6-302013: Built inbound TCP connection 3263493120 for DMZ:shule/5802 (shule/5802) to SERVERS:10.10.227.121/80 (10.10.227.121/80)
Jul 15 13:38:11 216.160.83.56 : %ASA-6-302013: Built outbound TCP connection 3263492189 for MG:exp_srv/10050 (exp_srv/10050) to SERVERS:10.10.227.170/46145 (10.10.224.1/46145)
Jul 15 13:38:08 81.2.69.142 %ASA-6-302015: Built outbound UDP connection 743108828 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/48347 (89.160.20.128/48347)
Jul 15 13:38:03 81.2.69.142 %ASA-6-302015: Built outbound UDP connection 743108738 for outside:ns10/53 (ns10/53) to MND_sec:192.168.174.100/55653 (81.2.69.192/55653)
Jul 15 13:36:59 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 10.12.227.40/389 to exp-angle/54703 flags RST on interface SH_INFRA_MGT
Jul 15 13:36:39 216.160.83.56 : %ASA-6-106015: Deny TCP (no connection) from 89.160.20.128/56594 to sh-mailgw1/25 flags FIN ACK on interface outside
Jul 15 13:38:47 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/62409 to outside:81.2.69.142/62409 duration 0:00:41
Jul 15 13:37:33 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/56421 to outside:81.2.69.142/56421 duration 0:00:30
Jul 15 13:39:04 216.160.83.56 : %ASA-6-305011: Built dynamic TCP translation from SERVERS:exp-srv/50578 to outside:81.2.69.142/50578
Jul 15 13:37:02 216.160.83.56 : %ASA-6-305011: Built dynamic UDP translation from SERVERS:exp-wait/56570 to outside:81.2.69.142/56570
Jul 15 13:18:06 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/64593 dst SH_OSS:89.160.20.128/2511 by access-group "MGT_access_in" [0x0, 0x0]
Jul 15 01:18:01 216.160.83.56 : %ASA-4-106023: Deny tcp src MG:exp_srv/63513 dst SH_OSS:89.160.20.128/2511 by access-group "MGT_access_in" [0x0, 0x0]
Jul 15 13:30:09 81.2.69.142 %ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 14 01:45:09 81.2.69.142 %ASA-6-302020: Built inbound ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 15 13:30:09 81.2.69.142 %ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/6553 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 14 01:45:09 81.2.69.142 %ASA-6-302021: Teardown ICMP connection for faddr eth0_fw/8396 gaddr 81.2.69.192/0 laddr 81.2.69.192/0 type 8 code 0
Jul 15 12:18:51 81.2.69.192 %ASA-6-113039: Group <novpn> User <nt\minsk> IP <216.160.83.56> AnyConnect parent session started.
Jul 1 09:27:13 216.160.83.56 : %ASA-6-113039: Group <Group_VPN> User <support\column> IP <81.2.69.192> AnyConnect parent session started.
Jun 14 01:22:47 81.2.69.142 %ASA-5-304001: 192.168.14.22 Accessed URL mirror:http://mirror.example.com/path/to/resource
Loading