Skip to content

Commit 1ff9d46

Browse files
[cisco_asa] Support IPv6 addresses in 750002 and 750003 messages (#14882)
- Add support for IPv6 addresses in 750002 and 750003 messages. - Required changing dissect processors to grok
1 parent fa1c973 commit 1ff9d46

File tree

6 files changed

+162
-6
lines changed

6 files changed

+162
-6
lines changed

packages/cisco_asa/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "2.43.7"
3+
changes:
4+
- description: Support IPv6 addresses in 750002 and 750003 messages.
5+
type: bugfix
6+
link: https://github.com/elastic/integrations/pull/14882
27
- version: "2.43.6"
38
changes:
49
- description: Changed owners.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5856,7 +5856,7 @@
58565856
"kind": "event",
58575857
"original": "Apr 27 2020 02:03:03 dev01: %ASA-4-750003: Local:81.2.69.144:7777 Remote:192.168.2.2:7777 Username:admin Negotiation aborted due to ERROR: Failed to locate an item in the database",
58585858
"outcome": "failure",
5859-
"reason": "Negotiation aborted due to Failed to locate an item in the database",
5859+
"reason": "Negotiation aborted due to ERROR: Failed to locate an item in the database",
58605860
"severity": 4,
58615861
"timezone": "UTC",
58625862
"type": [

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,5 @@ Jun 21 2022 11:47:08: %ASA-6-302015: Built inbound UDP connection 7 for outside:
1414
Jun 21 2022 11:47:09: %ASA-6-302015: Built inbound UDP connection 7 for outside:81.2.69.142/3424 (81.2.69.142/3424)(LOCAL\alice, 123) to inside:89.160.20.112/9803 (89.160.20.112/9803)(LOCAL\dave, 246) (bob)
1515
Apr 27 2020 02:03:03 dev01: %ASA-5-434004: SFR requested device to bypass further packet redirection and process TCP flow from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/123123 locally
1616
<140>Feb 02 2025 14:02:35: %ASA-4-106103: access-list TEST_ACL_LIST denied tcp for user 'username' outside/81.2.69.142(51950) -> inside/89.160.20.112(443) hit-cnt 1 first hit [0xd3e666fa, 0x0]
17+
Aug 05 2025 11:47:09: %ASA-5-750002: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Received a IKE_INIT_SA request
18+
Aug 05 2025 11:47:09: %ASA-5-750003: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Auth exchange failed

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1375,6 +1375,153 @@
13751375
"user": {
13761376
"name": "username"
13771377
}
1378+
},
1379+
{
1380+
"@timestamp": "2025-08-05T11:47:09.000Z",
1381+
"destination": {
1382+
"address": "2a02:cf40:0000:0000:0000:0000:0000:0001",
1383+
"geo": {
1384+
"continent_name": "Europe",
1385+
"country_iso_code": "NO",
1386+
"country_name": "Norway",
1387+
"location": {
1388+
"lat": 62.0,
1389+
"lon": 10.0
1390+
}
1391+
},
1392+
"ip": "2a02:cf40:0000:0000:0000:0000:0000:0001",
1393+
"port": 50329
1394+
},
1395+
"ecs": {
1396+
"version": "8.17.0"
1397+
},
1398+
"event": {
1399+
"action": "connection-started",
1400+
"category": [
1401+
"network"
1402+
],
1403+
"code": "750002",
1404+
"kind": "event",
1405+
"original": "Aug 05 2025 11:47:09: %ASA-5-750002: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Received a IKE_INIT_SA request",
1406+
"outcome": "success",
1407+
"reason": "IKEv2 Received a IKE_INIT_SA request",
1408+
"severity": 5,
1409+
"timezone": "UTC",
1410+
"type": [
1411+
"connection",
1412+
"start"
1413+
]
1414+
},
1415+
"log": {
1416+
"level": "notification"
1417+
},
1418+
"observer": {
1419+
"product": "asa",
1420+
"type": "firewall",
1421+
"vendor": "Cisco"
1422+
},
1423+
"related": {
1424+
"ip": [
1425+
"2a02:cf40::6",
1426+
"2a02:cf40:0000:0000:0000:0000:0000:0001"
1427+
],
1428+
"user": [
1429+
"Unknown"
1430+
]
1431+
},
1432+
"source": {
1433+
"address": "2a02:cf40::6",
1434+
"geo": {
1435+
"continent_name": "Europe",
1436+
"country_iso_code": "NO",
1437+
"country_name": "Norway",
1438+
"location": {
1439+
"lat": 62.0,
1440+
"lon": 10.0
1441+
}
1442+
},
1443+
"ip": "2a02:cf40::6",
1444+
"port": 500
1445+
},
1446+
"tags": [
1447+
"preserve_original_event"
1448+
],
1449+
"user": {
1450+
"name": "Unknown"
1451+
}
1452+
},
1453+
{
1454+
"@timestamp": "2025-08-05T11:47:09.000Z",
1455+
"destination": {
1456+
"address": "2a02:cf40:0000:0000:0000:0000:0000:0001",
1457+
"geo": {
1458+
"continent_name": "Europe",
1459+
"country_iso_code": "NO",
1460+
"country_name": "Norway",
1461+
"location": {
1462+
"lat": 62.0,
1463+
"lon": 10.0
1464+
}
1465+
},
1466+
"ip": "2a02:cf40:0000:0000:0000:0000:0000:0001",
1467+
"port": 50329
1468+
},
1469+
"ecs": {
1470+
"version": "8.17.0"
1471+
},
1472+
"event": {
1473+
"category": [
1474+
"network"
1475+
],
1476+
"code": "750003",
1477+
"kind": "event",
1478+
"original": "Aug 05 2025 11:47:09: %ASA-5-750003: Local:2a02:cf40::6:500 Remote:2a02:cf40:0000:0000:0000:0000:0000:0001:50329 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Auth exchange failed",
1479+
"outcome": "failure",
1480+
"reason": "IKEv2 Negotiation aborted due to ERROR: Auth exchange failed",
1481+
"severity": 5,
1482+
"timezone": "UTC",
1483+
"type": [
1484+
"connection",
1485+
"start"
1486+
]
1487+
},
1488+
"log": {
1489+
"level": "notification"
1490+
},
1491+
"observer": {
1492+
"product": "asa",
1493+
"type": "firewall",
1494+
"vendor": "Cisco"
1495+
},
1496+
"related": {
1497+
"ip": [
1498+
"2a02:cf40::6",
1499+
"2a02:cf40:0000:0000:0000:0000:0000:0001"
1500+
],
1501+
"user": [
1502+
"Unknown"
1503+
]
1504+
},
1505+
"source": {
1506+
"address": "2a02:cf40::6",
1507+
"geo": {
1508+
"continent_name": "Europe",
1509+
"country_iso_code": "NO",
1510+
"country_name": "Norway",
1511+
"location": {
1512+
"lat": 62.0,
1513+
"lon": 10.0
1514+
}
1515+
},
1516+
"ip": "2a02:cf40::6",
1517+
"port": 500
1518+
},
1519+
"tags": [
1520+
"preserve_original_event"
1521+
],
1522+
"user": {
1523+
"name": "Unknown"
1524+
}
13781525
}
13791526
]
13801527
}

packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1178,11 +1178,12 @@ processors:
11781178
tag: parse_602303-602304
11791179
field: "message"
11801180
pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{}."
1181-
- dissect:
1181+
- grok:
11821182
if: "ctx._temp_.cisco.message_id == '750002'"
11831183
tag: parse_750002
11841184
field: "message"
1185-
pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}"
1185+
patterns:
1186+
- "Local:%{IP:source.address}:%{NUMBER:source.port} Remote:%{IP:destination.address}:%{NUMBER:destination.port} Username:%{DATA:user.name} %{GREEDYDATA:event.reason}"
11861187
- dissect:
11871188
if: "ctx._temp_.cisco.message_id == '713120'"
11881189
tag: parse_713120
@@ -1201,11 +1202,12 @@ processors:
12011202
patterns:
12021203
- "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}"
12031204
- "Group <%{DATA:source.user.group.name}> User <%{DATA:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\."
1204-
- dissect:
1205+
- grok:
12051206
if: "ctx._temp_.cisco.message_id == '750003'"
12061207
tag: parse_750003
12071208
field: "message"
1208-
pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}"
1209+
patterns:
1210+
- "Local:%{IP:source.address}:%{NUMBER:source.port} Remote:%{IP:destination.address}:%{NUMBER:destination.port} Username:%{DATA:user.name} %{GREEDYDATA:event.reason}"
12091211
- grok:
12101212
if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
12111213
tag: parse_713901-713906

packages/cisco_asa/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
format_version: "3.0.3"
22
name: cisco_asa
33
title: Cisco ASA
4-
version: "2.43.6"
4+
version: "2.43.7"
55
description: Collect logs from Cisco ASA with Elastic Agent.
66
type: integration
77
categories:

0 commit comments

Comments
 (0)