[cisco_meraki] Parse of connecting and reconnecting events

packages/cisco_meraki/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.1"
+ changes:
+ - description: Fix the parsing of connecting and reconnecting events for `anyconnect_vpn_connect` and `client_vpn_connect`.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/14231
 - version: "1.29.0"
  changes:
  - description: Standardize user fields processing across integrations.

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log

@@ -9,6 +9,7 @@
 <134>1 1647479420.148681168 MX84 events dhcp lease of ip 10.0.2.213 from mx mac 68:3A:1E:42:60:59 for client mac E0:CB:BC:02:4F:80 from router 10.0.0.1 on subnet 255.255.252.0 with dns 10.0.0.1
 <134>1 1647479961.535491111 MX84 events dhcp no offers for mac A4:83:E7:02:A2:F1 host = 192.168.10.1
 <134>1 1647478092.669153546 MX_device_4 events client_vpn_connect user id 'jwick@wwvpn.net' local ip 172.16.0.145 connected from 81.2.69.193
+<134>1 1647478092.669153546 MX_device_4 events client_vpn_connect user id 'user@example.com' local ip 81.2.69.142 reconnected from 89.160.20.128
 <134>1 1639132850.430422377 AP1 events type=disassociation radio='1' vap='1' client_mac='B0:A4:60:9B:3B:A6' channel='100' reason='1' instigator='2' duration='223.031691642' auth_neg_dur='0.005054229' last_auth_ago='223.020414600' is_wpa='1' full_conn='0.384002374' ip_resp='0.384002374' ip_src='10.197.39.50' http_resp='0.647356228' arp_resp='0.013562625' arp_src='10.197.39.50' dns_server='10.128.128.128' dns_req_rtt='0.023370084' dns_resp='0.263616104' dhcp_lease_completed='0.009196083' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:31:23:60' dhcp_resp='0.009196083' aid='977866432'
 <134>1 1639132851.416656563 AP1 events type=aps_association_reject load='3' best_ap='192.168.128.38' best_ap_load='0' best_ap_rssi='37'
 <134>1 1639132851.608053271 AP1 events type=association radio='1' vap='0' client_mac='B0:A4:60:9B:3B:A6' last_known_client_ip='0.0.0.0' channel='100' rssi='40' aid='125455944'
@@ -34,6 +35,7 @@
 <134>1 1700038224.482632052 ABC_NL_AMS1_SW_B1 events port 44 status changed from down to 1Gfdx
 <134>1 1639132851.416656563 TCP9001 events anyconnect_vpn_disconnect user id 'user.name1' local ip 172.25.22.82 connected from 67.43.156.14
 <134>1 1639132851.416656563 TCP9001 events anyconnect_vpn_connect user id 'user.name2' local ip 172.25.22.244 reconnected from 67.43.156.14
+<134>1 1639132851.416656563 TCP9001 events anyconnect_vpn_connect user id 'user.name3' local ip 175.16.199.1 connected from 1.128.0.1
 <134>1 1639132851.416656563 TCP9001 events type=splash_auth mac='4C:03:4F:5C:5B:43' duration='604800' vap='0' wired_vlan='-1' download='1Gbps' upload='1Gbps'
 <134>1 1639132851.416656563 TCP9001 events type=martian_vlan Client='172.25.25.74' MAC='24:5E:BE:19:45:2E' VLAN='24' details='sent 7088457 unexpected packets (Last seen packet IP=169.254.100.100)'
 <134>1 1639132851.416656563 TCP9001 events type=martian_vlan Client='172.25.25.196' MAC='CC:96:E5:9F:09:89' VLAN='24' details='sent 834351 unexpected packets (Last seen packet IP=172.25.40.16, IP on VLAN=40)'

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json

@@ -502,6 +502,73 @@
  "name": "jwick"
  }
  },
+ {
+ "@timestamp": "2022-03-17T00:48:12.669Z",
+ "cisco_meraki": {
+ "event_subtype": "client_vpn_connect",
+ "event_type": "events"
+ },
+ "client": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.128"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "site-to-site-vpn",
+ "category": [
+ "network",
+ "session"
+ ],
+ "original": "<134>1 1647478092.669153546 MX_device_4 events client_vpn_connect user id 'user@example.com' local ip 81.2.69.142 reconnected from 89.160.20.128",
+ "type": [
+ "info",
+ "access",
+ "allowed",
+ "start"
+ ]
+ },
+ "message": "user id 'user@example.com' local ip 81.2.69.142 reconnected from 89.160.20.128",
+ "network": {
+ "forwarded_ip": "81.2.69.142"
+ },
+ "observer": {
+ "hostname": "MX_device_4"
+ },
+ "related": {
+ "user": [
+ "user",
+ "user@example.com"
+ ]
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ],
+ "user": {
+ "domain": "example.com",
+ "email": "user@example.com",
+ "name": "user"
+ }
+ },
  {
  "@timestamp": "2021-12-10T10:40:50.430Z",
  "cisco_meraki": {
@@ -1634,6 +1701,54 @@
  "name": "user.name2"
  }
  },
+ {
+ "@timestamp": "2021-12-10T10:40:51.416Z",
+ "cisco_meraki": {
+ "event_subtype": "anyconnect_vpn_connect",
+ "event_type": "events"
+ },
+ "client": {
+ "as": {
+ "number": 1221,
+ "organization": {
+ "name": "Telstra Pty Ltd"
+ }
+ },
+ "ip": "1.128.0.1"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "anyconnect_vpn_connect",
+ "category": [
+ "network"
+ ],
+ "original": "<134>1 1639132851.416656563 TCP9001 events anyconnect_vpn_connect user id 'user.name3' local ip 175.16.199.1 connected from 1.128.0.1",
+ "type": [
+ "info"
+ ]
+ },
+ "message": "user id 'user.name3' local ip 175.16.199.1 connected from 1.128.0.1",
+ "network": {
+ "forwarded_ip": "175.16.199.1"
+ },
+ "observer": {
+ "hostname": "TCP9001"
+ },
+ "related": {
+ "user": [
+ "user.name3"
+ ]
+ },
+ "tags": [
+ "forwarded",
+ "preserve_original_event"
+ ],
+ "user": {
+ "name": "user.name3"
+ }
+ },
  {
  "@timestamp": "2021-12-10T10:40:51.416Z",
  "cisco_meraki": {

packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json

@@ -228,7 +228,7 @@
  "name": "Windows",
  "version": "10"
  },
- "version": "108.0"
+ "version": "108.0."
  }
  },
  {

packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml

@@ -291,9 +291,11 @@ processors:
 ####################################################
 # Handle client_vpn_connect
 ####################################################
-- dissect:
+- grok:
  field: event.original
- pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}"
+ patterns:
+ - "^%{DATA} events client_vpn_connect user id '%{DATA:user.name}' local ip %{IP:network.forwarded_ip} (reconnected from|connected from) %{IP:_temp.client_ip}$"
+ - "^%{GREEDYDATA}$"
  if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect"
 - grok:
  field: event.original
@@ -371,9 +373,11 @@ processors:
 ####################################################
 # Handle anyconnect_vpn_connect
 ####################################################
-- dissect:
+- grok:
  field: event.original
- pattern: "%{} events anyconnect_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} reconnected from %{_temp.client_ip}"
+ patterns:
+ - "^%{DATA} events anyconnect_vpn_connect user id '%{DATA:user.name}' local ip %{IP:network.forwarded_ip} (reconnected from|connected from) %{IP:_temp.client_ip}$"
+ - "^%{GREEDYDATA}$"
  if: ctx?.cisco_meraki?.event_subtype == "anyconnect_vpn_connect"
 - grok:
  field: event.original

packages/cisco_meraki/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: cisco_meraki
 title: Cisco Meraki
-version: "1.29.0"
+version: "1.29.1"
 description: Collect logs from Cisco Meraki with Elastic Agent.
 type: integration
 categories: