diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 10b465281038..b4718f529208 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -54,6 +54,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - Fix type mapping of client.as.number in okta module. {pull}31676[31676] - Fix last write pagination commit checkpoint on `aws-s3` input for s3 direct polling when using the same bucket and different list prefixes. {pull}31776[31776] - If a file is ignored by `filestream` because of ignore_older settings, when it is updated, only the new lines are shipped to the output. {issue}31924[31924] {pull}31972[31972] +- Fix handling and mapping of syslog priority, facility and severity values in Cisco module. {pull}32025[32025] *Heartbeat* - Fix unintentional use of no-op logger. {pull}31543[31543] diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 948708bb81a4..ba6386a1f51f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -29,6 +29,9 @@ "log.file.path": "not-ip.log", "log.level": "notification", "log.offset": 0, + "log.syslog.facility.code": 20, + "log.syslog.priority": 165, + "log.syslog.severity.code": 5, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "OUTSIDE", @@ -46,7 +49,6 @@ "source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", "source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", "source.port": 27218, - "syslog.facility": 165, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 82d1ee5dedac..26374ec1ba1c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -4756,6 +4756,9 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 13909, + "log.syslog.facility.code": 1, + "log.syslog.priority": 13, + "log.syslog.severity.code": 5, "network.protocol": "tcp", "observer.egress.interface.name": "Inside", "observer.ingress.interface.name": "outside", @@ -4770,7 +4773,6 @@ "source.address": "54.239.28.85", "source.ip": "54.239.28.85", "source.port": 443, - "syslog.facility": 13, "tags": [ "cisco-asa", "forwarded" @@ -4797,6 +4799,9 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 14071, + "log.syslog.facility.code": 1, + "log.syslog.priority": 13, + "log.syslog.severity.code": 5, "network.protocol": "tcp", "observer.egress.interface.name": "Inside", "observer.ingress.interface.name": "outside", @@ -4811,7 +4816,6 @@ "source.address": "54.239.28.85", "source.ip": "54.239.28.85", "source.port": 443, - "syslog.facility": 13, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log index 707bd4f4e54e..8bc484a39b22 100644 Binary files a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log and b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log differ diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index 605eba1e2a75..ab73bc6f2e4a 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -11,12 +11,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -34,12 +36,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 194, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -57,12 +61,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 386, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "ChangeReconciliation.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -80,12 +86,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 568, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -103,12 +111,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 774, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "lights_out_mgmt.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -126,12 +136,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 943, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -149,12 +161,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1072, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -172,12 +186,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1191, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -195,12 +211,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1316, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -218,12 +236,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1440, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -241,12 +261,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1575, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -264,12 +286,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1721, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -287,12 +311,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1867, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -310,12 +336,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 1984, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -333,12 +361,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 2128, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -356,12 +386,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 2285, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -379,12 +411,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 2436, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -402,12 +436,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 2580, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -425,12 +461,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 2737, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -448,12 +486,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 2888, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -471,12 +511,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 3032, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -494,12 +536,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 3143, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -517,12 +561,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 3267, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -540,12 +586,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 3440, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -563,12 +611,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 3564, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -586,12 +636,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 3739, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -609,12 +661,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 3874, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -632,12 +686,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 4002, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -655,12 +711,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 4113, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -678,12 +736,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 4238, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "index.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -701,12 +761,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 4357, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -724,12 +786,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 4492, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -747,12 +811,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 4686, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", - "syslog.facility": 14, "tags": [ "cisco-ftd", "forwarded" @@ -770,13 +836,14 @@ "input.type": "log", "log.level": "debug", "log.offset": 4870, + "log.syslog.facility.code": 1, + "log.syslog.priority": 14, + "log.syslog.severity.code": 6, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", - "syslog.facility": 14, - "syslog.priority": 2, "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 2d85b823a655..f733a1e43093 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -28,6 +28,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 0, + "log.syslog.facility.code": 20, + "log.syslog.priority": 165, + "log.syslog.severity.code": 5, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "OUTSIDE", @@ -45,7 +48,6 @@ "source.address": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", "source.domain": "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244", "source.port": 27218, - "syslog.facility": 165, "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index f171ee65ea3d..99a5782d57c2 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -15,7 +15,7 @@ processors: - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:log.original}" pattern_definitions: SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.priority:int}>" # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" @@ -24,6 +24,17 @@ processors: # exactly match the syntax for firepower management logs PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + - script: + lang: painless + source: | + if (ctx.log?.syslog?.priority != null) { + def severity = new HashMap(); + severity['code'] = ctx.log.syslog.priority&0x7; + ctx.log.syslog['severity'] = severity; + def facility = new HashMap(); + facility['code'] = ctx.log.syslog.priority>>3; + ctx.log.syslog['facility'] = facility; + } # # Parse FTD/ASA style message