SIEM not detecting ASA success failure logins

mancharagopan · October 16, 2019, 6:15am

SIEM not detecting success and failure logins from ASA syslog messages. and also it detect filebeat hostname as the host in SIEM app. What can i do?

ASA Syslog message parsing could be better from filebeat 7.4 to populate observer hostname, ip and event type, category.

I use following grok filters in Logstash 6.6 to parse ASA firewall syslog messages,

 grok {
 match => { "message" => "<%{INT:recordId}>%{DATA:[hostname]} \%%{DATA:[event][dataset]}-%{INT:[severity]}-%{INT:[cisco][asa][message_id]}:" }
  }

 if "%ASA-5-111008" in [message] {
   grok {
 match => {"message" => "111008: User '%{DATA:[cisco][asa][source_username]}' %{GREEDYDATA:[event][action]}"}
     add_field => {
       "[log][original]" => "Command Executed"
       "[event][outcome]" => "success"
 }
   }
 }

 if "ASA-6-113008" in [message] {
   grok {
 match => {"message" => "113008: %{GREEDYDATA:[event][action]} : user = %{WORD:[cisco][asa][source_username]}"}
     add_field => {
       "[log][original]" => "AAA transaction status ACCEPT"
       "[event][outcome]" => "success"
 }
   }
 }

 if "ASA-6-113012" in [message] {
   grok {
 match => {"message" => "113012: %{GREEDYDATA:[event][action]} : local database : user = %{WORD:[cisco][asa][source_username]}"}
     add_field => {
       "[log][original]" => "Successfull AAA Authentication"
       "[event][outcome]" => "success"
 }
   }
 }

 if "ASA-6-113015" in [message] {
   grok {
 match => {"message" => "113015: %{GREEDYDATA:[event][action]} : reason = (?<event.reason>\w+ \w+) : local database : user = %{WORD:[cisco][asa][source_username]}"}
     add_field => {
       "[log][original]" => "Failed AAA Authentication - %{event.reason}"
       "[event][outcome]" => "failure"
 }
   }
 }

 if "ASA-6-113013" in [message] {
   grok {
 match => {"message" => "113013: %{GREEDYDATA:[event][action]} : reason = (?<event.reason>\w+ \w+) : local database : user = %{WORD:[cisco][asa][source_username]}"}
     add_field => {
       "[log][original]" => "Failed AAA Transaction - %{[event][reason]}"
       "[event][outcome]" => "failure"
 }
   }
 }

 if "ASA-6-113019" in [message] {
   grok {
 match => {"message" => "113019: %{GREEDYDATA:[event][action]} : reason = (?<event.reason>\w+ \w+) : local database : user = %{WORD:[cisco][asa][source_username]}"}
     add_field => {
       "[log][original]" => "Session Timeout - %{[event][reason]}"
       "[event][outcome]" => "failure"
 }
   }
 }
}

adrisr · October 17, 2019, 1:46pm

Currently the cisco/asa fileset is focused on network traffic / firewall activity logs. On this respect, feel free to open an Enhancement request.

Regarding the syslog parsing, we've had a lot of problems related to this because the syslog parser in Filebeat was too inflexible and didn't accommodate all the possible variations. We're working on improving Syslog support at the filebeat level. For 7.4.0, the ASA ingest pipeline has been improved to do a best effort at parsing most syslog formats used by different ASA/FTD devices, but it's far from perfect. Is it not populating the host.hostname field for you?

mancharagopan · October 18, 2019, 3:44am

I am running filebeat on a windowns machine host.hostname is populating windows machine name. and observer field not present. At least filebeat should capture observer.ip or observer.name from the syslog. also SIEM app showing firewall syslog events under windows host name.

adrisr · October 18, 2019, 4:24pm

Can you share a few of your syslog messages so I can test them and hopefully prepare a fix?

mancharagopan · October 19, 2019, 5:24am

{
  "_index": "filebeat-7.4.0-2019.10.16-000001",
  "_type": "_doc",
  "_id": "MmCh3m0BKBSvbHYfQQZO",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "PAS-PRTG-PC",
      "id": "538baf6c-9ce6-41a8-b61f-5d3b94f1d7e7",
      "type": "filebeat",
      "ephemeral_id": "c42b1948-cdae-4551-a4ec-6fad657d9ae5",
      "version": "7.4.0"
    },
    "log": {
      "level": "notification",
      "source": {
        "address": "172.21.10.1:514"
      }
    },
    "fileset": {
      "name": "asa"
    },
    "tags": [
      "cisco-asa"
    ],
    "input": {
      "type": "udp"
    },
    "@timestamp": "2019-10-18T16:58:41.283+05:30",
    "ecs": {
      "version": "1.1.0"
    },
    "service": {
      "type": "cisco"
    },
    "host": {
      "hostname": "PAS-PRTG-PC",
      "os": {
        "build": "7601.24468",
        "kernel": "6.1.7601.24475 (win7sp1_ldr.190516-0600)",
        "name": "Windows 7 Ultimate",
        "family": "windows",
        "version": "6.1",
        "platform": "windows"
      },
      "name": "PAS-PRTG-PC",
      "id": "99b90cb4-a609-4eb1-8d7d-860b61309404",
      "architecture": "x86_64"
    },
    "event": {
      "severity": 5,
      "code": 111010,
      "original": "<165>Pas-FW %ASA-5-111010: User 'gopan', running 'N/A' from IP 172.21.21.12, executed 'police output 4000000 4000 conform-action transmit exceed-action drop'",
      "timezone": "+05:30",
      "module": "cisco",
      "action": "firewall-rule",
      "dataset": "cisco.asa"
    },
    "cisco": {
      "asa": {
        "message_id": "111010"
      }
    }
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2019-10-18T11:28:41.283Z"
    ],
    "@timestamp": [
      "2019-10-18T11:28:41.283Z"
    ]
  },
  "highlight": {
    "fileset.name": [
      "@kibana-highlighted-field@asa@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1571398121283
  ]
}

    {
      "_index": "filebeat-7.4.0-2019.10.16-000001",
      "_type": "_doc",
      "_id": "sWCh3m0BKBSvbHYfAgVF",
      "_version": 1,
      "_score": null,
      "_source": {
    "agent": {
      "hostname": "PAS-PRTG-PC",
      "id": "538baf6c-9ce6-41a8-b61f-5d3b94f1d7e7",
      "type": "filebeat",
      "ephemeral_id": "c42b1948-cdae-4551-a4ec-6fad657d9ae5",
      "version": "7.4.0"
    },
    "log": {
      "level": "informational",
      "source": {
        "address": "172.21.10.1:514"
      }
    },
    "fileset": {
      "name": "asa"
    },
    "tags": [
      "cisco-asa"
    ],
    "input": {
      "type": "udp"
    },
    "@timestamp": "2019-10-18T16:58:22.404+05:30",
    "ecs": {
      "version": "1.1.0"
    },
    "service": {
      "type": "cisco"
    },
    "host": {
      "hostname": "PAS-PRTG-PC",
      "os": {
        "build": "7601.24468",
        "kernel": "6.1.7601.24475 (win7sp1_ldr.190516-0600)",
        "name": "Windows 7 Ultimate",
        "family": "windows",
        "version": "6.1",
        "platform": "windows"
      },
      "name": "PAS-PRTG-PC",
      "id": "99b90cb4-a609-4eb1-8d7d-860b61309404",
      "architecture": "x86_64"
    },
    "event": {
      "severity": 6,
      "code": 113008,
      "original": "<166>Pas-FW %ASA-6-113008: AAA transaction status ACCEPT : user = asauser",
      "timezone": "+05:30",
      "module": "cisco",
      "action": "firewall-rule",
      "dataset": "cisco.asa"
    },
    "cisco": {
      "asa": {
        "message_id": "113008"
      }
    }
      },
      "fields": {
    "suricata.eve.timestamp": [
      "2019-10-18T11:28:22.404Z"
    ],
    "@timestamp": [
      "2019-10-18T11:28:22.404Z"
    ]
      },
      "highlight": {
    "fileset.name": [
      "@kibana-highlighted-field@asa@/kibana-highlighted-field@"
    ]
      },
      "sort": [
    1571398102404
      ]
    }

    {
      "_index": "filebeat-7.4.0-2019.10.16-000001",
      "_type": "_doc",
      "_id": "sGCh3m0BKBSvbHYfAgVF",
      "_version": 1,
      "_score": null,
      "_source": {
    "agent": {
      "hostname": "PAS-PRTG-PC",
      "id": "538baf6c-9ce6-41a8-b61f-5d3b94f1d7e7",
      "type": "filebeat",
      "ephemeral_id": "c42b1948-cdae-4551-a4ec-6fad657d9ae5",
      "version": "7.4.0"
    },
    "log": {
      "level": "informational",
      "source": {
        "address": "172.21.10.1:514"
      }
    },
    "fileset": {
      "name": "asa"
    },
    "tags": [
      "cisco-asa"
    ],
    "input": {
      "type": "udp"
    },
    "@timestamp": "2019-10-18T16:58:22.027+05:30",
    "ecs": {
      "version": "1.1.0"
    },
    "service": {
      "type": "cisco"
    },
    "host": {
      "hostname": "PAS-PRTG-PC",
      "os": {
        "build": "7601.24468",
        "kernel": "6.1.7601.24475 (win7sp1_ldr.190516-0600)",
        "name": "Windows 7 Ultimate",
        "family": "windows",
        "version": "6.1",
        "platform": "windows"
      },
      "name": "PAS-PRTG-PC",
      "id": "99b90cb4-a609-4eb1-8d7d-860b61309404",
      "architecture": "x86_64"
    },
    "event": {
      "severity": 6,
      "code": 113012,
      "original": "<166>Pas-FW %ASA-6-113012: AAA user authentication Successful : local database : user = asauser",
      "timezone": "+05:30",
      "module": "cisco",
      "action": "firewall-rule",
      "dataset": "cisco.asa"
    },
    "cisco": {
      "asa": {
        "message_id": "113012"
      }
    }
      },
      "fields": {
    "suricata.eve.timestamp": [
      "2019-10-18T11:28:22.027Z"
    ],
    "@timestamp": [
      "2019-10-18T11:28:22.027Z"
    ]
      },
      "highlight": {
    "fileset.name": [
      "@kibana-highlighted-field@asa@/kibana-highlighted-field@"
    ]
      },
      "sort": [
    1571398102027
      ]
    }

mancharagopan · October 19, 2019, 5:31am

This is from filebeat debug, Syslog event id - 113012 and 113008 from ASA 5500 series firewall.

2019-10-19T10:56:19.309+0530	DEBUG	[processors]	processing/processors.go:183	Publish event: {
  "@timestamp": "2019-10-19T05:26:19.010Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.4.0",
    "truncated": false,
    "pipeline": "filebeat-7.4.0-cisco-asa-asa-ftd-pipeline"
  },
  "input": {
    "type": "udp"
  },
  "event": {
    "dataset": "cisco.asa",
    "timezone": "+05:30",
    "module": "cisco"
  },
  "agent": {
    "id": "538baf6c-9ce6-41a8-b61f-5d3b94f1d7e7",
    "version": "7.4.0",
    "type": "filebeat",
    "ephemeral_id": "c42b1948-cdae-4551-a4ec-6fad657d9ae5",
    "hostname": "PAS-PRTG-PC"
  },
  "message": "<166>Pas-FW %ASA-6-113012: AAA user authentication Successful : local database : user = asauser\n",
  "fileset": {
    "name": "asa"
  },
  "service": {
    "type": "cisco"
  },
  "ecs": {
    "version": "1.1.0"
  },
  "host": {
    "name": "PAS-PRTG-PC",
    "hostname": "PAS-PRTG-PC",
    "architecture": "x86_64",
    "os": {
      "kernel": "6.1.7601.24475 (win7sp1_ldr.190516-0600)",
      "build": "7601.24468",
      "platform": "windows",
      "version": "6.1",
      "family": "windows",
      "name": "Windows 7 Ultimate"
    },
    "id": "99b90cb4-a609-4eb1-8d7d-860b61309404"
  },
  "log": {
    "source": {
      "address": "172.21.10.1:514"
    }
  },
  "tags": [
    "cisco-asa"
  ]
}
2019-10-19T10:56:19.311+0530	DEBUG	[processors]	processing/processors.go:183	Publish event: {
  "@timestamp": "2019-10-19T05:26:19.310Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.4.0",
    "truncated": false,
    "pipeline": "filebeat-7.4.0-cisco-asa-asa-ftd-pipeline"
  },
  "agent": {
    "version": "7.4.0",
    "type": "filebeat",
    "ephemeral_id": "c42b1948-cdae-4551-a4ec-6fad657d9ae5",
    "hostname": "PAS-PRTG-PC",
    "id": "538baf6c-9ce6-41a8-b61f-5d3b94f1d7e7"
  },
  "ecs": {
    "version": "1.1.0"
  },
  "message": "<166>Pas-FW %ASA-6-113008: AAA transaction status ACCEPT : user = asauser\n",
  "log": {
    "source": {
      "address": "172.21.10.1:514"
    }
  },
  "event": {
    "module": "cisco",
    "timezone": "+05:30",
    "dataset": "cisco.asa"
  },
  "input": {
    "type": "udp"
  },
  "host": {
    "name": "PAS-PRTG-PC",
    "hostname": "PAS-PRTG-PC",
    "architecture": "x86_64",
    "os": {
      "kernel": "6.1.7601.24475 (win7sp1_ldr.190516-0600)",
      "build": "7601.24468",
      "platform": "windows",
      "version": "6.1",
      "family": "windows",
      "name": "Windows 7 Ultimate"
    },
    "id": "99b90cb4-a609-4eb1-8d7d-860b61309404"
  },
  "tags": [
    "cisco-asa"
  ],
  "fileset": {
    "name": "asa"
  },
  "service": {
    "type": "cisco"
  }
}

system · November 16, 2019, 5:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.