elasticmachine
commented
3 years ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Open jamiehynds opened 3 years ago
elasticmachine
commented
3 years ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
jurim76
commented
3 years ago Interesting, kibana shows VPN events for filebeat-7.9.3 (cisco module enabled), but not for filebeat-7.10.0.
jamiehynds
commented
3 years ago Hey @jurim76, there should be at least some VPN events showing as our pipeline supports a few VPN events (e.g. 716002 and 713049. We haven't removed any events from the pipeline.
Could you provide some examples of events that you're no longer seeing?
jurim76
commented
3 years ago Hello
Here are missing entries for VPN events
%ASA-4-106103: access-list VPN_FILTER_DEV denied icmp for user 'user.name' outside/172.16.24.67(8) -> outside/10.80.103.32(0) hit-cnt 1 first hit [0xc242c110, 0x0]
%ASA-5-746012: user-identity: Add IP-User mapping 10.160.103.32 - TEST\MSOL_956e694d46b7 Succeeded - PIP notification
%ASA-4-113019: Group = DefaultWEBVPNGroup, Username = user.name, IP = 90.90.90.90, Session disconnected. Session Type: SSL, Duration: 8h:46m:04s, By tes xmt: 36535288, Bytes rcv: 12850300, Reason: Idle Timeout
Another issue that filebeat unable to start after installation with enabled cisco module (filebeat 7.10.0, Debian 10) I'm able to start filebeat, deleting /usr/share/filebeat/module/cisco/umbrella/manifest.yml
apt install filebeat
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 34.3 MB of archives. After this operation, 123 MB of additional disk space will be used. Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 filebeat amd64 7.10.0 [34.3 MB] Fetched 34.3 MB in 4s (8,653 kB/s) Selecting previously unselected package filebeat. (Reading database ... 51113 files and directories currently installed.) Preparing to unpack .../filebeat_7.10.0_amd64.deb ... Unpacking filebeat (7.10.0) ... Setting up filebeat (7.10.0) ... Installing new version of config file /etc/filebeat/fields.yml ... Installing new version of config file /etc/filebeat/filebeat.reference.ymlfilebeat modules enable cisco && filebeat
Exiting: Failed to start crawler: creating module reloader failed: Error getting config for fileset cisco/umbrella: Error interpreting the template of the input: template: text:1:9: executing "text" at <.input>: map has no entry for key "input"
Kibana search screenshots filebeat 7.9.3 filebeat 7.10.0
jamiehynds
commented
3 years ago Thanks for the additional infomation! Both the 106103 and 113019 are included in our ingest pipeline, so should definitely be appearing.
@marc-gr @P1llus any thoughts on the Filebeat error, seems to be related to Umbrella?
P1llus
commented
3 years ago I can quickly comment on the Umbrella side, there has been a fix created for this, so the workaround should not need to be applied in the next release: https://github.com/elastic/beats/pull/22892
For the different events that is not being ingested I would need to come back to you on that one.
jurim76
commented
3 years ago Hello,
The bug is still exists for filebeat 7.11.1
021-03-01T10:13:07.610Z ERROR fileset/factory.go:121 Error checking input configuration: No paths were defined for input accessing config 2021-03-01T10:13:07.621Z ERROR instance/beat.go:971 Exiting: Failed to start crawler: creating module reloader failed: No paths were defined f or input accessing config
MarcusCaepio
commented
3 years ago Looks like my current issue is relevant to this elastic/beats#24721
MarcusCaepio
commented
3 years ago Hi all, additional to the list of @jamiehynds please also add the message ID %ASA-7-734003. This message shows very important information when debugging VPN problems. The ASA prints several messages with the same Syslog ID for the username and all Attribute/Values Pairs. The Log Messages look like this:
%ASA-7-734003: DAP: User name , Addr ipaddr : Session Attribute: attr name/value user —The authenticated username ipaddr —The IP address of the remote client attr/value —The AAA or endpoint attribute name and value
Possible Attributes for example:
So in this case, the asa syslog would send 8 syslog messages all with the same username and every single Attribute. The hard part here will be, to combine every message to a single document based on the username or at least create the necessary endpoint.anyconnect.x fields.
jurim76
commented
2 years ago Some notes from me. Cisco ASA-5-722033 VPN messages are shown in Kibana in "event.original" field, not in "message" field and therefore not searchable via KQL query.
Filebeat 7.15.1 Cisco ASA 9.14.2
botelastic[bot]
commented
1 year ago Hi! We just realized that we haven't looked into this issue in a while. We're sorry!
We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!
jamiehynds
commented
1 year ago Transferring to integrations repo.
botelastic[bot]
commented
9 months ago Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!
While the Cisco module provides coverage for some ASA authentication events, we regularly see requests for broader coverage of both authentication and VPN events.
Attached sheet includes all the relevant events that should be covered by the module. Cisco ASA Auth and VPN Events.xlsx