search

logstash-plugins / logstash-patterns-core

Apache License 2.0
2.17k stars 979 forks source link

Additional patterns request for CISCO ASA message ids #240

Open JasperJuergensen opened 5 years ago

JasperJuergensen commented 5 years ago

Patterns for CISCO ASA-7-609001, ASA-6-604103, ASA-6-303002, ASA-6-607001 are missing.

ASA-6-303002 has already been requested in issue #208 and an implementation has been provided in #226

Sample Data:

<123>asa %ASA-7-609001: Built local-host outside:192.0.2.42
<123>asa %ASA-6-604103: DHCP daemon interface WLAN_Guests:  address granted abcd.abcd.abcd.e7 (192.0.2.42)
<123>asa %ASA-6-604103: DHCP daemon interface WLAN_Guests:  address granted abcd.abcd.abcd (192.0.2.42)
<123>asa %ASA-6-303002: FTP connection from inside:203.0.113.42/54321 to outside:192.0.2.42/21, user testuser Stored file test-file
<123>asa %ASA-6-607001: Pre-allocate SIP NOTIFY UDP secondary channel for DMZ:192.0.2.42/12006 to inside:203.0.113.42 from 200 message

Possible implementation for ASA-7-609001:

CISCOFW7609001 Built local-host %{DATA:interface}:%{IP:dst_ip}

Possible implementation for ASA-6-607001:

CISCOFW6607001 Pre-allocate %{WORD:protocol} NOTIFY UDP secondary channel for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip} from %{POSINT:message_count} message

Possible implementation for ASA-6-604103:

CISCOFW6604103 DHCP daemon interface %{GREEDYDATA:interface}:  address granted %{MAC:dst_mac}(?:\.[A-Da-f0-9]{2})? \(%{IP:dst_ip}\)

Possible implementation for ASA-6-303002 (from #226 ):

CISCOFW303002 FTP connection from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, user %{DATA:dst_user} %{DATA:ftp_action} file %{DATA:filename}
MakoWish commented 5 years ago

I found this page from a Google search for "ASA-7-609001" and was hoping for a solution. I have tried a custom pattern file, and I still get a grok parse failure. 

<123>asa %ASA-7-609001: Built local-host outside:192.0.2.42\n
<123>asa %ASA-7-609002: Teardown local-host outside:192.0.2.42 duration 0:02:25\n

This pattern works in grok debugger, but it does not seem to work in production:

CISCOFW609001_609002 %{CISCO_ACTION:action} %{WORD} %{DATA:src_interface}:%{IP:src_ip}?(\\n)?( duration %{TIME:duration})?(\\n)

Any suggestions?