Integration Name

Cisco ASA [cisco_asa]

Dataset Name

No response

Integration Version

2.37.0

Agent Version

8.12.2

Agent Output Type

elasticsearch

Elasticsearch Version

8.12.2

OS Version and Architecture

RHEL 8.9

Software/API Version

No response

Error Message

Processor conditional with tag parse_106023 in pipeline logs-cisco_asa.log-2.37.0 failed with message: Provided Grok expressions do not match field value: [Deny tcp src outside:11.111.11.11/61943 dst identity:000.00.000.00/443 by access-group "" [0x3499b430, 0x0]]

Event Original

<164>2024-09-17T18:23:15Z mmc-raasa-fw1 : %ASA-4-106023: Deny tcp src outside:11.111.11.11/61943 dst identity:000.00.000.00/443 by access-group "" [0x3499b430, 0x0]

What did you do?

Default configuration.

What did you see?

See event original.

What did you expect to see?

Message should get correctly parsed and ingested.

Anything else?

We've tracked down the problem. It seems the default pipeline uses this grok expression, which does not allow for an empty access-group:

^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\\s*(\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group \"%{NOTSPACE:_temp_.cisco.list_id}\"

Changing it to (making access-group optional):

^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group \"%{NOTSPACE:_temp_.cisco.list_id}?\"

Fixed the issue.

This may have been an edge case.