elastic · robester0403 · Jul 31, 2025 · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.9.2"
+  changes:
+    - description: Fix parsing for message ID 113014.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14757
 - version: "3.9.1"
   changes:
     - description: Ensure observer zone fields are set.

@@ -28,6 +28,7 @@ May  5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error mess
 <166>Feb 01 2025 21:57:35 hit_count : %FTD-6-113008: AAA transaction status ACCEPT : user = nice_guy
 <166>Feb 01 2025 21:57:35 hit_count : %FTD-6-113009: AAA retrieved default group policy (DEF_REMOTE_VPN_GROUP) for user = nice_guy
 <166>Feb 01 2025 18:41:45 hit_count : %FTD-6-113014: AAA authentication server not accessible : server = 10.10.10.6 : user = *****
+<166>Feb 01 2025 18:43:42 hit_count : %FTD-6-113014: AAA authentication server not accessible : server =  10.10.10.10 : user = *****
 <165>Feb 01 2025 21:57:37 hit_count : %FTD-5-109201: UAUTH: Session=0x07802000, User=abbie_normal, Assigned IP=10.0.10.101, Succeeded adding entry.
 <165>Feb 01 2025 21:56:23 hit_count : %FTD-5-109207: UAUTH: Session=0x07676000, User=abbie, Assigned IP=10.0.10.109, Succeeded updating entry.
 <165>Feb 01 2025 21:57:53 hit_count : %FTD-5-109210: UAUTH: Session=0x07800000, User=drew, Assigned IP=10.0.10.111, Succeeded removing entry.

@@ -2212,6 +2212,52 @@
                 "preserve_original_event"
             ]
         },
+        {
+            "@timestamp": "2025-02-01T18:43:42.000Z",
+            "destination": {
+                "address": "10.10.10.10",
+                "ip": "10.10.10.10"
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "logon-failed",
+                "code": "113014",
+                "original": "<166>Feb 01 2025 18:43:42 hit_count : %FTD-6-113014: AAA authentication server not accessible : server =  10.10.10.10 : user = *****",
+                "outcome": "failure",
+                "severity": 6,
+                "timezone": "UTC"
+            },
+            "log": {
+                "level": "informational",
+                "syslog": {
+                    "facility": {
+                        "code": 20
+                    },
+                    "priority": 166,
+                    "severity": {
+                        "code": 6
+                    }
+                }
+            },
+            "observer": {
+                "product": "ftd",
+                "type": "idps",
+                "vendor": "Cisco"
+            },
+            "process": {
+                "name": "hit_count"
+            },
+            "related": {
+                "ip": [
+                    "10.10.10.10"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
         {
             "@timestamp": "2025-02-01T21:57:37.000Z",
             "ecs": {

@@ -409,7 +409,7 @@ processors:
       description: "113014"
       field: "message"
       patterns:
-          - "AAA authentication server not accessible(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: [Uu]ser = (%{CISCO_USER:source.user.name}|\\*+)(%{SPACE})?"
+          - "AAA authentication server not accessible(%{SPACE})?: server =(%{SPACE})?%{IP:destination.address}(%{SPACE})?: [Uu]ser = (%{CISCO_USER:source.user.name}|\\*+)(%{SPACE})?"
       pattern_definitions:
         CISCO_USER: ((LOCAL\\+)?(%{HOSTNAME}\\+)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
   - dissect:

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ftd
 title: Cisco FTD
-version: "3.9.1"
+version: "3.9.2"
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration
 categories: