Hi I've noticed what i consider an error in the logstash firewall pattern related to cisco asa.
the syslogID in the cisco firewall raw log looks like this with respective relevant fields. We are testing opendns so DNS traffic from our network looks like this.
<174>%ASA-6-302015: Built outbound UDP connection 276686124 for OUTSIDE:208.67.222.222/53 (208.67.222.222/53) to INSIDE:172.xx.xx.11/59804 (xxx.xxx.xxx.xxx/53723)
This our inside dns server makeing a request to an outside (openDNS) server on port 53.
however looking at it in ELK it looks like this, and in my view making in look like the traffic is INBOUND, and thus reversed compared to what the ciscolog shows.
I believe the problem is in this part of the ciscoasa filter for logstash
/patterns/firewalls
ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( (%{IP:src_mapped_ip}/%{INT:src_mapped_port}))?((%{DATA:src_fwuser}))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( (%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}))?((%{DATA:dst_fwuser}))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( (%{DATA:user}))?
could be be that it can't handle the difference between inbound and outbound traffic, and there is a need for a filter that takes inbound/outbound into account?
in kibana after being parsed with logstash it looks like this
"direction": "outbound",
"protocol": "UDP",
"connection_id": "276715487",
"src_interface": "OUTSIDE",
"src_ip": "208.67.222.222",
"src_port": "53",
"src_mapped_ip": "208.67.222.222",
"src_mapped_port": "53",
"dst_interface": "INSIDE",
"_dst_ip": "172.17.20.10",_
"dst_port": "62110",
"dst_mapped_ip": "xxx.xx.xxx.xxx",
"dst_mapped_port": "62110",
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"geoip": {
"ip": "208.67.222.222",