add decoder for vpn aaa failure to cisco asa decoders

[kai-hier]

As of today all cisco "AAA user authentication Rejected" events are handled by the generic fallback cisco-asa decoder:

*Phase 1: Completed pre-decoding.
    full event: 'vpn04 %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.157.48.36 : user = ***** : user IP = 84.118.205.121'

**Phase 2: Completed decoding.
    name: 'cisco-asa'
    parent: 'cisco-asa'
    id: '6-113005'

**Phase 3: Completed filtering (rules).
    id: '64018'
    level: '5'
    description: 'ASA: AAA (VPN) authentication failed.'
    groups: '["syslog","cisco","cisco-asa","authentication_failed"]'
    firedtimes: '1'
    gdpr: '["IV_35.7.d","IV_32.2"]'
    gpg13: '["7.1"]'
    mail: 'false'
    pci_dss: '["10.2.4","10.2.5"]'
    tsc: '["CC6.1","CC6.8","CC7.2","CC7.3"]'
**Alert to be generated.

I would like to have another decoder added which can extract the server- and user-ip for further use in the dashboards. I made one like the following and added it to custom decoders, but it is ignored.

<decoder name="cisco-asa-aaa">
    <parent>cisco-asa</parent>
    <prematch offset="after_parent">6-13005</prematch>
    <regex offset="after_parent" type="pcre2">(\d-\w+): (AAA user authentication Rejected).:.\w+.=.(\w+\s\w+).:.\w+.=.(\d+\.\d+\.\d+\.\d+).:.*=.(\d+\.\d+\.\d+\.\d+)</regex>
    <order>id, description, reason, server_ip, scr_ip</order>
</decoder>

[htothek]

Hey! After working with your example a bit I was able to accomplish this.

<!--
%ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.1.1.1 : user = htothek : user IP = 8.8.8.8
-->
<decoder name="cisco-asa-aaa">
    <parent>cisco-asa</parent>
    <prematch offset="after_parent">6-113005</prematch>
    <regex offset="after_parent">(6-113005): (AAA user authentication Rejected) : reason = (AAA failure) : server = (\S+) : user = (\w+) : user IP = (\S+)</regex>
    <order>id, description, reason, server, user, userpublic</order>
</decoder>

Apr  4 18:57:27 10.1.1.2 %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.1.1.1 : user = htothek : user IP = 8.8.8.8

**Phase 1: Completed pre-decoding.
        full event: 'Apr  4 18:57:27 10.1.1.2 %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.1.1.1 : user = htothek : user IP = 8.8.8.8'
        timestamp: 'Apr  4 18:57:27'
        hostname: '10.1.1.2'

**Phase 2: Completed decoding.
        name: 'cisco-asa'
        parent: 'cisco-asa'
        description: 'AAA user authentication Rejected'
        dstuser: 'htothek'
        id: '6-113005'
        reason: 'AAA failure'
        server: '10.1.1.1'
        userpublic: '8.8.8.8'

**Phase 3: Completed filtering (rules).
        id: '64018'
        level: '5'
        description: 'ASA: AAA (VPN) authentication failed.'
        groups: '['syslog', 'cisco', 'cisco-asa', 'authentication_failed']'
        firedtimes: '2'
        gdpr: '['IV_35.7.d', 'IV_32.2']'
        gpg13: '['7.1']'
        mail: 'False'
        pci_dss: '['10.2.4', '10.2.5']'
        tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.