Parse 302018 messages correctly

mjwolf · mjwolf · commit e4dc0d23be41 · 2025-10-10T10:55:52.000-07:00
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log
@@ -279,3 +279,4 @@ Feb 3 10:07:37 myhost.example.com : Feb 03 10:07:37 EST: %ASA-svc-3-722035: Grou
 Feb 3 10:07:51 myhost.example.com : Feb 03 10:07:50 EST: %ASA-4-733100: [ LOCAL\user.name@example.com#012 ] drop rate-1 exceeded. Current burst rate is 40 per second, max configured rate is 40; Current average rate is 2 per second, max configured rate is 20; Cumulative total count is 1486
 <166>10.1.1.1 %ASA-6-302021: Teardown ICMP connection for faddr 2001:db8:85a3::8a2e:370:7334/9 gaddr 2001:db8:85a3::8a2e:370:7335/0 laddr 2001:db8:85a3::8a2e:370:7335/0 type 128 code 0 \n
 <166>10.1.1.1 %ASA-6-302020: Built outbound ICMP connection for faddr 2001:db8:85a3::8a2e:370:7334/0 gaddr ::ffff:10.10.4.4/0 laddr ::ffff:10.10.10.4/0 type 3 code 0 Internal-Data0/0:RX[29]
+<166>10.1.1.1 %ASA-6-302018: Teardown GRE connection 472592149 from Outside:81.2.69.142 to Inside:89.160.20.156/0 duration 0:02:01 bytes 1344 0 26
diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json
@@ -23480,6 +23480,124 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-01-01T12:00:00.000Z",
+            "cisco": {
+                "asa": {
+                    "connection_id": "472592149",
+                    "destination_interface": "Inside",
+                    "source_interface": "Outside"
+                }
+            },
+            "destination": {
+                "address": "89.160.20.156",
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.156",
+                "port": 0
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "flow-expiration",
+                "category": [
+                    "network"
+                ],
+                "code": "302018",
+                "duration": 121000000000,
+                "kind": "event",
+                "original": "<166>10.1.1.1 %ASA-6-302018: Teardown GRE connection 472592149 from Outside:81.2.69.142 to Inside:89.160.20.156/0 duration 0:02:01 bytes 1344 0 26",
+                "outcome": "success",
+                "severity": 6,
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "end"
+                ]
+            },
+            "host": {
+                "hostname": "10.1.1.1"
+            },
+            "log": {
+                "level": "informational",
+                "syslog": {
+                    "facility": {
+                        "code": 20
+                    },
+                    "priority": 166,
+                    "severity": {
+                        "code": 6
+                    }
+                }
+            },
+            "network": {
+                "bytes": 1344,
+                "community_id": "1:G+7NhVep/VU/WFsZ87fgaCpx6Ks=",
+                "iana_number": "47",
+                "transport": "gre"
+            },
+            "observer": {
+                "egress": {
+                    "interface": {
+                        "name": "Inside"
+                    }
+                },
+                "hostname": "10.1.1.1",
+                "ingress": {
+                    "interface": {
+                        "name": "Outside"
+                    }
+                },
+                "product": "asa",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "10.1.1.1"
+                ],
+                "ip": [
+                    "81.2.69.142",
+                    "89.160.20.156"
+                ]
+            },
+            "source": {
+                "address": "81.2.69.142",
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.142"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }
diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -1229,14 +1229,14 @@ processors:
       if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)'
       description: "302014, 302016, 302018, 302021, 302036, 302304, 302306"
       patterns:
-
         - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_SRC}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\)
         - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_SRC}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator}
         - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_SRC}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\)
         - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_SRC}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\)
         - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_SRC}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason}
         - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_SRC}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes})
         - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{ECSDESTIPORHOST}|%{NOTCOLON:_temp_.cisco.source_interface}:%{ECSDESTIPORHOST})/%{NUMBER}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?gaddr (?:%{MAPPEDSRC}|%{NOTCOLON:_temp_.cisco.gaddr_interface}:%{MAPPEDSRC})/%{NUMBER} laddr (?:%{ECSSOURCEIPORHOST}|%{NOTCOLON:_temp_.cisco.source_interface}:%{ECSSOURCEIPORHOST})/%{NUMBER}\s*(?:\(%{CISCO_USER_OR_SGT_SRC}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?
+        - ^Teardown %{NOTSPACE:network.transport} connection %{NOTSPACE:_temp_.cisco.connection_id} from %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address} to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int} duration %{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}(?:%{NUMBER} %{NUMBER})?
       pattern_definitions:
         HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)"
         IPORHOST: "(?:%{IP}|%{HOSTNAME})"
@@ -1833,7 +1833,7 @@ processors:
       tag: script_process_flow_duration
       lang: painless
       if: "ctx?._temp_?.duration_hms != null"
-      source: >
+      source: |
         long parse_hms(String s) {
             long cur = 0, total = 0;
             for (char c: s.toCharArray()) {
@@ -1842,22 +1842,26 @@ processors:
                 } else if (c == (char)':') {
                     total = (total + cur) * 60;
                     cur = 0;
-                } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') {
-                    return 0;
                 }
             }
             return total + cur;
         }
         if (ctx?.event == null) {
             ctx['event'] = new HashMap();
         }
-        String end = ctx['@timestamp'];
-        ctx.event['end'] = end;
         long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L;
         ctx.event['duration'] = nanos;
-        ctx.event['start'] = ZonedDateTime.ofInstant(
-            Instant.parse(end).minusNanos(nanos),
-            ZoneOffset.UTC);
+        if (ctx['@timestamp'] != null) {
+            String end = ctx['@timestamp'];
+            ctx.event['end'] = end;
+            try {
+                ctx.event['start'] = ZonedDateTime.ofInstant(
+                    Instant.parse(end).minusNanos(nanos),
+                    ZoneOffset.UTC);
+            } catch (Exception e) {
+                // If timestamp parsing fails, just set duration
+            }
+        }
   #
   # Parse Source/Dest Username/Domain may contain SGT
   #
