[cisco_asa] Add new log types

- Add support for 111007, 113022, 113023, 425005, 611103 logs - Add tests

Author: taylor-swanson

packages/cisco_asa/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.36.0"
+ changes:
+ - description: Add additional log types.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/10340
 - version: "2.35.3"
  changes:
  - description: Fix patterns for 113008, 725002.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log

@@ -266,4 +266,10 @@ Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outsid
 Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0]
 Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0]
 Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-106023: Deny tcp src outside:192.168.124.24/80 dst inside:172.31.98.44/8309 by access-group "inbound" [0x0, 0x0]
-<166>Jan 11 2023 13:34:06 localhost : %ASA-6-302013: Built outbound TCP connection 353540142 for outside-noanet:192.168.124.24/443 (192.168.124.24/443) to inside:172.31.98.44/49234 (172.31.98.44/49234)
+<166>Jan 11 2023 13:34:06 localhost : %ASA-6-302013: Built outbound TCP connection 353540142 for outside-noanet:192.168.124.24/443 (192.168.124.24/443) to inside:172.31.98.44/49234 (172.31.98.44/49234)
+<164>Jan 11 2023 13:34:06: %ASA-4-106023: Deny udp src MY_mgmt:192.168.124.24/123 dst MPLS_Internet:172.31.98.44/123 by access-group "MY_mgmt_access_in" [0x0, 0x0]
+<165>Jan 11 2023 13:34:06: %ASA-5-111007: Begin configuration: 192.168.124.24 reading from http [POST]
+<162>Jan 11 2023 13:34:06: %ASA-2-113022: AAA Marking LDAP server 192.168.124.24 in aaa-server group GROUP_NAME as FAILED
+<162>Jan 11 2023 13:34:06: %ASA-2-113023: AAA Marking LDAP server 192.168.124.24 in aaa-server group GROUP_NAME as ACTIVE
+<165>Jan 11 2023 13:34:06: %ASA-5-425005: Interface GigabitEthernet0/1 become active in redundant interface Redundant1
+<165>Jun 21 2024 09:07:00: %ASA-5-611103: User logged out: Uname: USER_NAME

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa.log-expected.json

@@ -22746,6 +22746,338 @@
  "tags": [
  "preserve_original_event"
  ]
+ },
+ {
+ "@timestamp": "2023-01-11T13:34:06.000Z",
+ "cisco": {
+ "asa": {
+ "destination_interface": "MPLS_Internet",
+ "rule_name": "MY_mgmt_access_in",
+ "source_interface": "MY_mgmt"
+ }
+ },
+ "destination": {
+ "address": "172.31.98.44",
+ "ip": "172.31.98.44",
+ "port": 123
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "category": [
+ "network"
+ ],
+ "code": "106023",
+ "kind": "event",
+ "original": "<164>Jan 11 2023 13:34:06: %ASA-4-106023: Deny udp src MY_mgmt:192.168.124.24/123 dst MPLS_Internet:172.31.98.44/123 by access-group \"MY_mgmt_access_in\" [0x0, 0x0]",
+ "outcome": "success",
+ "severity": 4,
+ "timezone": "UTC",
+ "type": [
+ "connection",
+ "denied"
+ ]
+ },
+ "log": {
+ "level": "warning",
+ "syslog": {
+ "facility": {
+ "code": 20
+ },
+ "priority": 164,
+ "severity": {
+ "code": 4
+ }
+ }
+ },
+ "network": {
+ "community_id": "1:xbya/aiSMeIJU6Accp+zqxHVMZQ=",
+ "iana_number": "17",
+ "transport": "udp"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "name": "MPLS_Internet"
+ }
+ },
+ "ingress": {
+ "interface": {
+ "name": "MY_mgmt"
+ }
+ },
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "192.168.124.24",
+ "172.31.98.44"
+ ]
+ },
+ "source": {
+ "address": "192.168.124.24",
+ "ip": "192.168.124.24",
+ "port": 123
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-01-11T13:34:06.000Z",
+ "destination": {
+ "address": "192.168.124.24",
+ "ip": "192.168.124.24"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "configuration",
+ "category": [
+ "configuration"
+ ],
+ "code": "111007",
+ "kind": "event",
+ "original": "<165>Jan 11 2023 13:34:06: %ASA-5-111007: Begin configuration: 192.168.124.24 reading from http [POST]",
+ "outcome": "success",
+ "severity": 5,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "notification",
+ "syslog": {
+ "facility": {
+ "code": 20
+ },
+ "priority": 165,
+ "severity": {
+ "code": 5
+ }
+ }
+ },
+ "observer": {
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "192.168.124.24"
+ ]
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-01-11T13:34:06.000Z",
+ "destination": {
+ "address": "192.168.124.24",
+ "ip": "192.168.124.24"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "server-failed",
+ "category": [
+ "network"
+ ],
+ "code": "113022",
+ "kind": "event",
+ "original": "<162>Jan 11 2023 13:34:06: %ASA-2-113022: AAA Marking LDAP server 192.168.124.24 in aaa-server group GROUP_NAME as FAILED",
+ "outcome": "failure",
+ "severity": 2,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "critical",
+ "syslog": {
+ "facility": {
+ "code": 20
+ },
+ "priority": 162,
+ "severity": {
+ "code": 2
+ }
+ }
+ },
+ "network": {
+ "protocol": "ldap"
+ },
+ "observer": {
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "192.168.124.24"
+ ]
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-01-11T13:34:06.000Z",
+ "destination": {
+ "address": "192.168.124.24",
+ "ip": "192.168.124.24"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "server-active",
+ "category": [
+ "network"
+ ],
+ "code": "113023",
+ "kind": "event",
+ "original": "<162>Jan 11 2023 13:34:06: %ASA-2-113023: AAA Marking LDAP server 192.168.124.24 in aaa-server group GROUP_NAME as ACTIVE",
+ "outcome": "success",
+ "severity": 2,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "critical",
+ "syslog": {
+ "facility": {
+ "code": 20
+ },
+ "priority": 162,
+ "severity": {
+ "code": 2
+ }
+ }
+ },
+ "network": {
+ "protocol": "ldap"
+ },
+ "observer": {
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "192.168.124.24"
+ ]
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2023-01-11T13:34:06.000Z",
+ "cisco": {
+ "asa": {
+ "interface_name": "GigabitEthernet0/1",
+ "redundant_interface_name": "Redundant1"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "interface-switchover",
+ "category": [
+ "network"
+ ],
+ "code": "425005",
+ "kind": "event",
+ "original": "<165>Jan 11 2023 13:34:06: %ASA-5-425005: Interface GigabitEthernet0/1 become active in redundant interface Redundant1",
+ "severity": 5,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "notification",
+ "syslog": {
+ "facility": {
+ "code": 20
+ },
+ "priority": 165,
+ "severity": {
+ "code": 5
+ }
+ }
+ },
+ "observer": {
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2024-06-21T09:07:00.000Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "logged-out",
+ "category": [
+ "authentication",
+ "network"
+ ],
+ "code": "611103",
+ "kind": "event",
+ "original": "<165>Jun 21 2024 09:07:00: %ASA-5-611103: User logged out: Uname: USER_NAME",
+ "outcome": "success",
+ "severity": 5,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "notification",
+ "syslog": {
+ "facility": {
+ "code": 20
+ },
+ "priority": 165,
+ "severity": {
+ "code": 5
+ }
+ }
+ },
+ "observer": {
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "user": [
+ "USER_NAME"
+ ]
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "user": {
+ "name": "USER_NAME"
+ }
  }
  ]
 }