[Filebeat - Module Cisco-ASA] Parsing of Cisco Event Message 734001 #16212
Description
Hi all,
Describe the enhancement:
we recently switched from Logstash to Ingest with filebeat-cisco-asa and unfortunately noticed, that one important cisco message is not yet ingested (correctly), the cisco.asa.message_id:734001 . These messages give information about the DAP records, which a user gets, when he connects via VPN and are very while troubleshooting VPN problems.
Describe a specific use case for the enhancement or feature:
The ID Pattern given by cisco looks like this:
%ASA-6-734001: DAP: User user, Addr ipaddr , Connection connection : The following DAP records were selected for this connection: DAP record names
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html#con_5678113
Here is a sample event:
%ASA-6-734001: DAP: User firstname.lastname@domain.com, Addr 1.2.3.4, Connection AnyConnect: The following DAP records were selected for this connection: dap_name1, dap_name2
The Pattern and Logstash filter, I used in the past, looks like this:
Pattern:
CISCOFW734001 DAP: User %{DATA:user}, Addr %{IP:src_ip}, Connection %{GREEDYDATA:connection_type}: The following DAP records were selected for this connection: %{GREEDYDATA:dap_records}
Filter:
if [dap_records] {
mutate {
split => { "dap_records" => ", " }
}
It would be very nice, if this could be Ingested by Filebeat, too. At the moment, we are not able use elastic for this use case, because we can though search the message id, but as soon as we additionally search for a username in the event.original field, the search really takes very, very long.
As I am currently totally inexperienced in creating modules. So I don't know, if I can give constructive help here. But if sb. can lend me a hand, where I have to begin (beside the docs), I will try to help.
Also relates to #14151
Thanks in advanced!
Cheers,
Marcus
Activity