Version 7.9.2
Debian 10
Problematic file: /usr/share/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
305011 parse pattern doesn't account for presence of source.user.name
pattern: "Built %{} %{network.transport} translation from %{temp.cisco.source_interface}:%{source.address}/%{source.port} to %{temp.cisco.destination_interface}:%{destination.address}/%{destination.port}"
Logstash does this correctly:
CISCOFW305011 %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?((%{DATA:src_fwuser}))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}
same issue for 302015, 302013
filebeat:
pattern: "Built %{network.direction} %{network.transport} connection %{temp.cisco.connection_id} for %{temp.cisco.source_interface}:%{source.address}/%{source.port} (%{temp.natsrcip}/%{temp.cisco.mapped_source_port}) to %{temp.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{temp.natdstip}/%{temp.cisco.mapped_destination_port})"
Logstash again does it correctly:
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( (%{IP:src_mapped_ip}/%{INT:src_mapped_port}))?((%{DATA:src_fwuser}))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( (%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}))?((%{DATA:dst_fwuser}))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( (%{DATA:user}))?
Also 722051 doesn't account for angle brackets around the IP addresses. Logstash doesn't parse 722051 messages at all.
Resulting anonymized error messages:
Oct 03 13:53:55 xxxx filebeat[10145]: 2020-10-03T13:53:55.643-0500 WARN [elasticsearch] elasticsearch/client.go:407 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfd65010cf489145, ext:3086635459, loc:(*time.Location)(0x607ff60)}, Meta:{"pipeline":"filebeat-7.9.2-cisco-asa-asa-ftd-pipeline"}, Fields:{"agent":{"ephemeral_id":"0eb2fd0e-c07e-430c-ab52-af187d1350dd","hostname":"xxxx","id":"fa6227e2-086e-4131-8b98-74cd576212aa","name":"xxxx","type":"filebeat","version":"7.9.2"},"ecs":{"version":"1.5.0"},"event":{"dataset":"cisco.asa","module":"cisco","timezone":"-05:00"},"fileset":{"name":"asa"},"input":{"type":"log"},"log":{"file":{"path":"/path/file.log"},"offset":1457},"message":"Oct 3 04:00:14 xxxx %ASA-6-305011: Built dynamic UDP translation from any:10.190.132.108/35854(LOCAL\username) to VLANyyyy:aaa.bbb.ccc.ddd/35854","service":{"type":"cisco"},"tags":["cisco-asa","forwarded"]}, Private:file.State{Id:"native::22-65026", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000c3dc70), Source:"/path/file.log", Offset:1628, Timestamp:time.Time{wall:0xbfd650103ab4b607, ext:815143094, loc:(*time.Location)(0x607ff60)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16, Device:0xfe02}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [source.port] of type [long] in document with id 'Gn3Q73QBS_mRngGNO7nm'. Preview of field's value: '35854(LOCAL\username)'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: "35854(LOCAL\username)""}}
Oct 03 13:53:55 xxxx filebeat[10145]: 2020-10-03T13:53:55.643-0500 WARN [elasticsearch] elasticsearch/client.go:407 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfd65010cf48eb55, ext:3086658514, loc:(*time.Location)(0x607ff60)}, Meta:{"pipeline":"filebeat-7.9.2-cisco-asa-asa-ftd-pipeline"}, Fields:{"agent":{"ephemeral_id":"0eb2fd0e-c07e-430c-ab52-af187d1350dd","hostname":"xxxx","id":"fa6227e2-086e-4131-8b98-74cd576212aa","name":"xxxx","type":"filebeat","version":"7.9.2"},"ecs":{"version":"1.5.0"},"event":{"dataset":"cisco.asa","module":"cisco","timezone":"-05:00"},"fileset":{"name":"asa"},"input":{"type":"log"},"log":{"file":{"path":"/path/file.log"},"offset":1628},"message":"Oct 3 04:00:14 yyyy %ASA-6-302015: Built inbound UDP connection 2571109148 for VLANzzz:aaa.bbb.ccc.ddd/35854 (eee.fff.ggg.hhh/35854)(LOCAL\username) to VLANyyy:ppp.ppp.ppp.ppp:53 (ppp.ppp.ppp.ppp/53) (username)","service":{"type":"cisco"},"tags":["cisco-asa","forwarded"]}, Private:file.State{Id:"native::22-65026", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000c3dc70), Source:"/path/file.log", Offset:1871, Timestamp:time.Time{wall:0xbfd650103ab4b607, ext:815143094, loc:(*time.Location)(0x607ff60)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16, Device:0xfe02}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [source.nat.port] of type [long] in document with id 'HX3Q73QBS_mRngGNO7nm'. Preview of field's value: '35854)(LOCAL\\username'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: "35854)(LOCAL\\username""}}
Oct 03 13:53:55 xxxx filebeat[10145]: 2020-10-03T13:53:55.729-0500 WARN [elasticsearch] elasticsearch/client.go:407 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfd65010cf4fa6a2, ext:3087099667, loc:(*time.Location)(0x607ff60)}, Meta:{"pipeline":"filebeat-7.9.2-cisco-asa-asa-ftd-pipeline"}, Fields:{"agent":{"ephemeral_id":"0eb2fd0e-c07e-430c-ab52-af187d1350dd","hostname":"ixxxx","id":"fa6227e2-086e-4131-8b98-74cd576212aa","name":"xxxx","type":"filebeat","version":"7.9.2"},"ecs":{"version":"1.5.0"},"event":{"dataset":"cisco.asa","module":"cisco","timezone":"-05:00"},"fileset":{"name":"asa"},"input":{"type":"log"},"log":{"file":{"path":"/path/file.log"},"offset":206995887},"message":"Oct 3 00:12:59 yyyy%ASA-6-302013: Built inbound TCP connection 2568709940 for VLANyyy:aaa.bbb.ccc.ddd/57999 (hhh.iii.jjj.kkk/57999)(LOCAL\username) to VLANzzz:mmm.nnn.ooo.ppp/443 (/443) (username)","service":{"type":"cisco"},"tags":["cisco-asa","forwarded"]}, Private:file.State{Id:"native::15-65026", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000c3d5f0), Source:"/path/file.log", Offset:206996125, Timestamp:time.Time{wall:0xbfd650103acaa335, ext:816580032, loc:(*time.Location)(0x607ff60)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0xf, Device:0xfe02}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [source.nat.port] of type [long] in document with id 'uH3Q73QBS_mRngGNPLlz'. Preview of field's value: '57999)(LOCAL\\username'","caused_by":{"type":"illegal_argument_exception","reason":"For input string: "57999)(LOCAL\\username""}}
Oct 03 13:54:16 xxxxfilebeat[10145]: 2020-10-03T13:54:16.769-0500 WARN [elasticsearch] elasticsearch/client.go:407 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfd6501526b0742b, ext:20479319711, loc:(time.Location)(0x607ff60)}, Meta:{"pipeline":"filebeat-7.9.2-cisco-asa-asa-ftd-pipeline"}, Fields:{"agent":{"ephemeral_id":"0eb2fd0e-c07e-430c-ab52-af187d1350dd","hostname":"xxxx","id":"fa6227e2-086e-4131-8b98-74cd576212aa","name":"xxxx","type":"filebeat","version":"7.9.2"},"ecs":{"version":"1.5.0"},"event":{"dataset":"cisco.asa","module":"cisco","timezone":"-05:00"},"fileset":{"name":"asa"},"input":{"type":"log"},"log":{"file":{"path":"/path/file.log"},"offset":122047},"message":"Oct 3 06:00:14 yyy %ASA-4-722051: Group \u003cvpn-group-policy\u003e User \u003cusername*\u003e IP \u003caaa.bbb.ccc.ddd\u003e IPv4 Address \u003cggg.hhh.iii.jjj\u003e IPv6 address \u003c::\u003e assigned to session","service":{"type":"cisco"},"tags":["cisco-asa","forwarded"]}, Private:file.State{Id:"native::24-65026", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000d64000), Source:"/path/file.log", Offset:122224, Timestamp:time.Time{wall:0xbfd65010cf569f4a, ext:3087556555, loc:(*time.Location)(0x607ff60)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x18, Device:0xfe02}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [cisco.asa.assigned_ip] of type [ip] in document with id 'PwfQ73QB0kNeqwYQjoGm'. Preview of field's value: '<1aaa.bbb.ccc.ddd>'","caused_by":{"type":"illegal_argument_exception","reason":"'<aaa.bbb.ccc.ddd>' is not an IP string literal."}}