elastic · efd6 · Mar 8, 2023 · Feb 27, 2023 · Mar 8, 2023
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.14.0"
+ changes:
+ - description: Allow retention of a searchable log message.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5393
 - version: "2.13.2"
  changes:
  - description: Support additional patterns in 113012, 113004, and 716039 messages

@@ -5,4 +5,5 @@ data_stream:
  paths:
  - "{{SERVICE_LOGS_DIR}}/*asa*.log"
  preserve_original_event: true
+ keep_message: true
  tz_offset: "+0500"
@@ -6,4 +6,5 @@ data_stream:
  tcp_host: 0.0.0.0
  tcp_port: 9514
  preserve_original_event: true
+ keep_message: true
  tz_offset: "+0500"
@@ -6,6 +6,7 @@ data_stream:
  tcp_host: 0.0.0.0
  tcp_port: 9515
  preserve_original_event: true
+ keep_message: true
  ssl: |
  key: |
  -----BEGIN PRIVATE KEY-----

@@ -6,3 +6,4 @@ data_stream:
  udp_host: 0.0.0.0
  udp_port: 9514
  preserve_original_event: true
+ keep_message: true
@@ -7,6 +7,9 @@ tags:
 {{#if preserve_original_event}}
  - preserve_original_event
 {{/if}}
+{{#if keep_message}}
+ - keep_message
+{{/if}}
 {{#each tags as |tag i|}}
  - {{tag}}
 {{/each}}

@@ -3,6 +3,9 @@ tags:
 {{#if preserve_original_event}}
  - preserve_original_event
 {{/if}}
+{{#if keep_message}}
+ - keep_message
+{{/if}}
 {{#each tags as |tag i|}}
  - {{tag}}
 {{/each}}

@@ -6,6 +6,9 @@ tags:
 {{#if preserve_original_event}}
  - preserve_original_event
 {{/if}}
+{{#if keep_message}}
+ - keep_message
+{{/if}}
 {{#each tags as |tag i|}}
  - {{tag}}
 {{/each}}

@@ -1114,6 +1114,11 @@ processors:
  # The field has been used as temporary buffer while decoding. The full message
  # is kept under event.original. Processors below can still add a message field, as some
  # security events contain an explanatory Message field.
+ - rename:
+ description: Retain full log message without the Cisco codes for later search.
+ if: ctx.tags != null && ctx.tags.contains('keep_message') && ctx._temp_?.cisco?.full_message == null
+ field: message
+ target_field: _temp_.cisco.full_message
  - remove:
  field:
  - message

@@ -216,3 +216,9 @@
  type: keyword
  description: >-
  The message associated with SIP and Skinny VoIP events
+
+ - name: full_message
+ default_field: false
+ type: keyword
+ description: >-
+ The Cisco log message text.
@@ -51,6 +51,14 @@ streams:
  type: bool
  multi: false
  default: false
+ - name: keep_message
+ required: true
+ show_user: true
+ title: Preserve searchable message text.
+ description: Preserves the log message in a searchable field, `cisco.asa.full_message`
+ type: bool
+ multi: false
+ default: false
  - name: udp_options
  type: yaml
  title: Custom UDP Options
@@ -129,6 +137,14 @@ streams:
  type: bool
  multi: false
  default: false
+ - name: keep_message
+ required: true
+ show_user: true
+ title: Preserve searchable message text.
+ description: Preserves the log message in a searchable field, `cisco.asa.full_message`
+ type: bool
+ multi: false
+ default: false
  - name: processors
  type: yaml
  title: Processors
@@ -213,6 +229,14 @@ streams:
  type: bool
  multi: false
  default: false
+ - name: keep_message
+ required: true
+ show_user: true
+ title: Preserve searchable message text.
+ description: Preserves the log message in a searchable field, `cisco.asa.full_message`
+ type: bool
+ multi: false
+ default: false
  - name: processors
  type: yaml
  title: Processors

@@ -1,15 +1,16 @@
 {
  "@timestamp": "2018-10-10T12:34:56.000Z",
  "agent": {
- "ephemeral_id": "3531225b-f1f1-4313-8769-3c60fbf048a3",
- "id": "cef48eaa-95bc-48e2-955a-d5c41d508b84",
+ "ephemeral_id": "ca988d63-3269-4129-84a2-fe0a0723829f",
+ "id": "07815f3b-703a-41bd-802e-d773e9f55819",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.5.1"
+ "version": "8.6.1"
  },
  "cisco": {
  "asa": {
  "destination_interface": "outside",
+ "full_message": "Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
  "source_interface": "inside"
  }
  },
@@ -27,9 +28,9 @@
  "version": "8.6.0"
  },
  "elastic_agent": {
- "id": "cef48eaa-95bc-48e2-955a-d5c41d508b84",
+ "id": "07815f3b-703a-41bd-802e-d773e9f55819",
  "snapshot": false,
- "version": "8.5.1"
+ "version": "8.6.1"
  },
  "event": {
  "action": "firewall-rule",
@@ -39,7 +40,7 @@
  ],
  "code": "305011",
  "dataset": "cisco_asa.log",
- "ingested": "2023-01-30T06:56:43Z",
+ "ingested": "2023-02-27T06:06:31Z",
  "kind": "event",
  "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
  "severity": 6,
@@ -57,7 +58,7 @@
  "log": {
  "level": "informational",
  "source": {
- "address": "172.20.0.4:53092"
+ "address": "172.20.0.4:51426"
  }
  },
  "network": {
@@ -101,6 +102,7 @@
  },
  "tags": [
  "preserve_original_event",
+ "keep_message",
  "cisco-asa",
  "forwarded"
  ]

@@ -17,15 +17,16 @@ An example event for `log` looks as following:
 {
  "@timestamp": "2018-10-10T12:34:56.000Z",
  "agent": {
- "ephemeral_id": "3531225b-f1f1-4313-8769-3c60fbf048a3",
- "id": "cef48eaa-95bc-48e2-955a-d5c41d508b84",
+ "ephemeral_id": "ca988d63-3269-4129-84a2-fe0a0723829f",
+ "id": "07815f3b-703a-41bd-802e-d773e9f55819",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.5.1"
+ "version": "8.6.1"
  },
  "cisco": {
  "asa": {
  "destination_interface": "outside",
+ "full_message": "Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
  "source_interface": "inside"
  }
  },
@@ -43,9 +44,9 @@ An example event for `log` looks as following:
  "version": "8.6.0"
  },
  "elastic_agent": {
- "id": "cef48eaa-95bc-48e2-955a-d5c41d508b84",
+ "id": "07815f3b-703a-41bd-802e-d773e9f55819",
  "snapshot": false,
- "version": "8.5.1"
+ "version": "8.6.1"
  },
  "event": {
  "action": "firewall-rule",
@@ -55,7 +56,7 @@ An example event for `log` looks as following:
  ],
  "code": "305011",
  "dataset": "cisco_asa.log",
- "ingested": "2023-01-30T06:56:43Z",
+ "ingested": "2023-02-27T06:06:31Z",
  "kind": "event",
  "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
  "severity": 6,
@@ -73,7 +74,7 @@ An example event for `log` looks as following:
  "log": {
  "level": "informational",
  "source": {
- "address": "172.20.0.4:53092"
+ "address": "172.20.0.4:51426"
  }
  },
  "network": {
@@ -117,6 +118,7 @@ An example event for `log` looks as following:
  },
  "tags": [
  "preserve_original_event",
+ "keep_message",
  "cisco-asa",
  "forwarded"
  ]
@@ -144,6 +146,7 @@ An example event for `log` looks as following:
 | cisco.asa.destination_interface | Destination interface for the flow or event. | keyword |
 | cisco.asa.destination_user_security_group_tag | The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. | long |
 | cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword |
+| cisco.asa.full_message | The Cisco log message text. | keyword |
 | cisco.asa.icmp_code | ICMP code. | short |
 | cisco.asa.icmp_type | ICMP type. | short |
 | cisco.asa.mapped_destination_host | | keyword |

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_asa
 title: Cisco ASA
-version: "2.13.2"
+version: "2.14.0"
 license: basic
 description: Collect logs from Cisco ASA with Elastic Agent.
 type: integration