SIEM not detecting success and failure logins from ASA syslog messages. and also it detect filebeat hostname as the host in SIEM app. What can i do?
ASA Syslog message parsing could be better from filebeat 7.4 to populate observer hostname, ip and event type, category.
I use following grok filters in Logstash 6.6 to parse ASA firewall syslog messages,
grok {
match => { "message" => "<%{INT:recordId}>%{DATA:[hostname]} \%%{DATA:[event][dataset]}-%{INT:[severity]}-%{INT:[cisco][asa][message_id]}:" }
}
if "%ASA-5-111008" in [message] {
grok {
match => {"message" => "111008: User '%{DATA:[cisco][asa][source_username]}' %{GREEDYDATA:[event][action]}"}
add_field => {
"[log][original]" => "Command Executed"
"[event][outcome]" => "success"
}
}
}
if "ASA-6-113008" in [message] {
grok {
match => {"message" => "113008: %{GREEDYDATA:[event][action]} : user = %{WORD:[cisco][asa][source_username]}"}
add_field => {
"[log][original]" => "AAA transaction status ACCEPT"
"[event][outcome]" => "success"
}
}
}
if "ASA-6-113012" in [message] {
grok {
match => {"message" => "113012: %{GREEDYDATA:[event][action]} : local database : user = %{WORD:[cisco][asa][source_username]}"}
add_field => {
"[log][original]" => "Successfull AAA Authentication"
"[event][outcome]" => "success"
}
}
}
if "ASA-6-113015" in [message] {
grok {
match => {"message" => "113015: %{GREEDYDATA:[event][action]} : reason = (?<event.reason>\w+ \w+) : local database : user = %{WORD:[cisco][asa][source_username]}"}
add_field => {
"[log][original]" => "Failed AAA Authentication - %{event.reason}"
"[event][outcome]" => "failure"
}
}
}
if "ASA-6-113013" in [message] {
grok {
match => {"message" => "113013: %{GREEDYDATA:[event][action]} : reason = (?<event.reason>\w+ \w+) : local database : user = %{WORD:[cisco][asa][source_username]}"}
add_field => {
"[log][original]" => "Failed AAA Transaction - %{[event][reason]}"
"[event][outcome]" => "failure"
}
}
}
if "ASA-6-113019" in [message] {
grok {
match => {"message" => "113019: %{GREEDYDATA:[event][action]} : reason = (?<event.reason>\w+ \w+) : local database : user = %{WORD:[cisco][asa][source_username]}"}
add_field => {
"[log][original]" => "Session Timeout - %{[event][reason]}"
"[event][outcome]" => "failure"
}
}
}
}