[cisco_asa] Support IPv6 addresses in 750002 and 750003 messages (#14882)

- Add support for IPv6 addresses in 750002 and 750003 messages.
- Required changing dissect processors to grok

Author: taylor-swanson

packages/cisco_asa/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.43.7"
+  changes:
+    - description: Support IPv6 addresses in 750002 and 750003 messages.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14882
 - version: "2.43.6"
   changes:
     - description: Changed owners.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json

@@ -5856,7 +5856,7 @@
                 "kind": "event",
                 "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database",
                 "outcome": "failure",
-                "reason": "Negotiation aborted due to Failed to locate an item in the database",
+                "reason": "Negotiation aborted due to ERROR: Failed to locate an item in the database",
                 "severity": 4,
                 "timezone": "UTC",
                 "type": [

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log

@@ -14,3 +14,5 @@ Jun 21 2022 11:47:08: %ASA-6-302015: Built inbound UDP connection 7 for outside:
 Jun 21 2022 11:47:09: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803)(LOCAL\dave, 246) (bob)
 Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested device to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally
 <140>Feb 02 2025 14:02:35: %ASA-4-106103: access-list TEST_ACL_LIST denied tcp for user 'username' outside/81.2.69.142(51950) -> inside/89.160.20.112(443) hit-cnt 1 first hit [0xd3e666fa, 0x0]
+Aug 05 2025 11:47:09: %ASA-5-750002: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Received a IKE_INIT_SA request
+Aug 05 2025 11:47:09: %ASA-5-750003: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Auth exchange failed

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json

@@ -1375,6 +1375,153 @@
             "user": {
                 "name": "username"
             }
+        },
+        {
+            "@timestamp": "2025-08-05T11:47:09.000Z",
+            "destination": {
+                "address": "2a02:cf40:0000:0000:0000:0000:0000:0001",
+                "geo": {
+                    "continent_name": "Europe",
+                    "country_iso_code": "NO",
+                    "country_name": "Norway",
+                    "location": {
+                        "lat": 62.0,
+                        "lon": 10.0
+                    }
+                },
+                "ip": "2a02:cf40:0000:0000:0000:0000:0000:0001",
+                "port": 50329
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "connection-started",
+                "category": [
+                    "network"
+                ],
+                "code": "750002",
+                "kind": "event",
+                "original": "Aug 05 2025 11:47:09: %ASA-5-750002: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Received a IKE_INIT_SA request",
+                "outcome": "success",
+                "reason": "IKEv2 Received a IKE_INIT_SA request",
+                "severity": 5,
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "start"
+                ]
+            },
+            "log": {
+                "level": "notification"
+            },
+            "observer": {
+                "product": "asa",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "ip": [
+                    "2a02:cf40::6",
+                    "2a02:cf40:0000:0000:0000:0000:0000:0001"
+                ],
+                "user": [
+                    "Unknown"
+                ]
+            },
+            "source": {
+                "address": "2a02:cf40::6",
+                "geo": {
+                    "continent_name": "Europe",
+                    "country_iso_code": "NO",
+                    "country_name": "Norway",
+                    "location": {
+                        "lat": 62.0,
+                        "lon": 10.0
+                    }
+                },
+                "ip": "2a02:cf40::6",
+                "port": 500
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "Unknown"
+            }
+        },
+        {
+            "@timestamp": "2025-08-05T11:47:09.000Z",
+            "destination": {
+                "address": "2a02:cf40:0000:0000:0000:0000:0000:0001",
+                "geo": {
+                    "continent_name": "Europe",
+                    "country_iso_code": "NO",
+                    "country_name": "Norway",
+                    "location": {
+                        "lat": 62.0,
+                        "lon": 10.0
+                    }
+                },
+                "ip": "2a02:cf40:0000:0000:0000:0000:0000:0001",
+                "port": 50329
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "code": "750003",
+                "kind": "event",
+                "original": "Aug 05 2025 11:47:09: %ASA-5-750003: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Auth exchange failed",
+                "outcome": "failure",
+                "reason": "IKEv2 Negotiation aborted due to ERROR: Auth exchange failed",
+                "severity": 5,
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "start"
+                ]
+            },
+            "log": {
+                "level": "notification"
+            },
+            "observer": {
+                "product": "asa",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "ip": [
+                    "2a02:cf40::6",
+                    "2a02:cf40:0000:0000:0000:0000:0000:0001"
+                ],
+                "user": [
+                    "Unknown"
+                ]
+            },
+            "source": {
+                "address": "2a02:cf40::6",
+                "geo": {
+                    "continent_name": "Europe",
+                    "country_iso_code": "NO",
+                    "country_name": "Norway",
+                    "location": {
+                        "lat": 62.0,
+                        "lon": 10.0
+                    }
+                },
+                "ip": "2a02:cf40::6",
+                "port": 500
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "Unknown"
+            }
         }
     ]
 }

packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -1178,11 +1178,12 @@ processors:
       tag: parse_602303-602304
       field: "message"
       pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{}."
-  - dissect:
+  - grok:
       if: "ctx._temp_.cisco.message_id == '750002'"
       tag: parse_750002
       field: "message"
-      pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}"
+      patterns:
+        - "Local:%{IP:source.address}:%{NUMBER:source.port} Remote:%{IP:destination.address}:%{NUMBER:destination.port} Username:%{DATA:user.name} %{GREEDYDATA:event.reason}"
   - dissect:
       if: "ctx._temp_.cisco.message_id == '713120'"
       tag: parse_713120
@@ -1201,11 +1202,12 @@ processors:
       patterns:
         - "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}"
         - "Group <%{DATA:source.user.group.name}> User <%{DATA:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\."
-  - dissect:
+  - grok:
       if: "ctx._temp_.cisco.message_id == '750003'"
       tag: parse_750003
       field: "message"
-      pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}"
+      patterns:
+        - "Local:%{IP:source.address}:%{NUMBER:source.port} Remote:%{IP:destination.address}:%{NUMBER:destination.port} Username:%{DATA:user.name} %{GREEDYDATA:event.reason}"
   - grok:
       if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
       tag: parse_713901-713906

packages/cisco_asa/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_asa
 title: Cisco ASA
-version: "2.43.6"
+version: "2.43.7"
 description: Collect logs from Cisco ASA with Elastic Agent.
 type: integration
 categories: