elasticmachine
commented
2 months ago Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
Open gilsongpfe opened 2 months ago
elasticmachine
commented
2 months ago Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
Integration Name
Cisco ASA [cisco_asa]
Dataset Name
No response
Integration Version
2.37.0
Agent Version
8.12.2
Agent Output Type
elasticsearch
Elasticsearch Version
8.12.2
OS Version and Architecture
RHEL 8.9
Software/API Version
No response
Error Message
Processor conditional with tag parse_106023 in pipeline logs-cisco_asa.log-2.37.0 failed with message: Provided Grok expressions do not match field value: [Deny tcp src outside:11.111.11.11/61943 dst identity:000.00.000.00/443 by access-group "" [0x3499b430, 0x0]]
Event Original
<164>2024-09-17T18:23:15Z mmc-raasa-fw1 : %ASA-4-106023: Deny tcp src outside:11.111.11.11/61943 dst identity:000.00.000.00/443 by access-group "" [0x3499b430, 0x0] ### What did you do? Default configuration. ### What did you see? See event original. ### What did you expect to see? Message should get correctly parsed and ingested. ### Anything else? We've tracked down the problem. It seems the default pipeline uses this grok expression, which does not allow for an empty access-group: ``` ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\\s*(\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group \"%{NOTSPACE:_temp_.cisco.list_id}\" ``` Changing it to (making access-group optional): ``` ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group \"%{NOTSPACE:_temp_.cisco.list_id}?\" ``` Fixed the issue. This may have been an edge case.