diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index f2836b68e1a..916ddeb3b1d 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "2.4.2" + changes: + - description: Map syslog priority details according to ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 + - description: Extract syslog facility and severity codes from syslog priority + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 - version: "2.4.1" changes: - description: Ensure invalid event.outcome does not get recorded in event diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index 4f193596abb..73817b19ee4 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -45,7 +45,16 @@ ] }, "log": { - "level": "notification" + "level": "notification", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 165, + "severity": { + "code": 5 + } + } }, "network": { "iana_number": "6", @@ -79,11 +88,6 @@ "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", "port": 27218 }, - "syslog": { - "facility": { - "code": 165 - } - }, "tags": [ "preserve_original_event" ] diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 727d8b4eb39..f5412496e7a 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -19,7 +19,7 @@ processors: - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" pattern_definitions: SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.priority:int}>" # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" @@ -28,6 +28,17 @@ processors: # exactly match the syntax for firepower management logs PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + - script: + lang: painless + source: | + if (ctx.log?.syslog?.priority != null) { + def severity = new HashMap(); + severity['code'] = ctx.log.syslog.priority&0x7; + ctx.log.syslog['severity'] = severity; + def facility = new HashMap(); + facility['code'] = ctx.log.syslog.priority>>3; + ctx.log.syslog['facility'] = facility; + } # # Parse FTD/ASA style message diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml index 71143f2c0c2..28967499e89 100644 --- a/packages/cisco_asa/data_stream/log/fields/ecs.yml +++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml @@ -78,6 +78,12 @@ name: log.file.path - external: ecs name: log.level +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.severity.code - external: ecs name: message - external: ecs diff --git a/packages/cisco_asa/data_stream/log/sample_event.json b/packages/cisco_asa/data_stream/log/sample_event.json index 7d6958b5c6d..fa30377de4b 100644 --- a/packages/cisco_asa/data_stream/log/sample_event.json +++ b/packages/cisco_asa/data_stream/log/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "agent": { - "ephemeral_id": "20ad3c57-e3e6-4064-a346-d303aa6d401e", - "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -27,7 +27,7 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", "snapshot": false, "version": "8.2.0" }, @@ -39,7 +39,7 @@ ], "code": "305011", "dataset": "cisco_asa.log", - "ingested": "2022-05-16T01:09:09Z", + "ingested": "2022-06-21T10:34:19Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "severity": 6, @@ -57,7 +57,7 @@ "log": { "level": "informational", "source": { - "address": "192.168.160.4:44914" + "address": "192.168.208.4:52674" } }, "network": { diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index f46ca4ceb73..74a9619b684 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -17,8 +17,8 @@ An example event for `log` looks as following: { "@timestamp": "2018-10-10T12:34:56.000Z", "agent": { - "ephemeral_id": "20ad3c57-e3e6-4064-a346-d303aa6d401e", - "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.0" @@ -43,7 +43,7 @@ An example event for `log` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "adecf804-775a-4deb-8b7f-486ddc33b19e", + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", "snapshot": false, "version": "8.2.0" }, @@ -55,7 +55,7 @@ An example event for `log` looks as following: ], "code": "305011", "dataset": "cisco_asa.log", - "ingested": "2022-05-16T01:09:09Z", + "ingested": "2022-06-21T10:34:19Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "severity": 6, @@ -73,7 +73,7 @@ An example event for `log` looks as following: "log": { "level": "informational", "source": { - "address": "192.168.160.4:44914" + "address": "192.168.208.4:52674" } }, "network": { @@ -250,6 +250,9 @@ An example event for `log` looks as following: | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 00ed0442888..f0cc6e7c4f7 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_asa title: Cisco ASA -version: 2.4.1 +version: 2.4.2 license: basic description: Collect logs from Cisco ASA with Elastic Agent. type: integration diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index 25bb324a63c..4c0b0e64ea6 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "2.2.2" + changes: + - description: Map syslog priority details according to ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 + - description: Extract syslog facility and severity codes from syslog priority + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 - version: "2.2.1" changes: - description: Remove invalid values from ECS fields diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json index a608edcc48e..74e62bb1a86 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-firepower-management.log-expected.json @@ -17,7 +17,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -27,11 +36,6 @@ "process": { "name": "platformSettingEdit.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -53,7 +57,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -63,11 +76,6 @@ "process": { "name": "platformSettingEdit.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -89,7 +97,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -99,11 +116,6 @@ "process": { "name": "ChangeReconciliation.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -125,7 +137,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -135,11 +156,6 @@ "process": { "name": "platformSettingEdit.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -161,7 +177,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -171,11 +196,6 @@ "process": { "name": "lights_out_mgmt.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -197,7 +217,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -207,11 +236,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -233,7 +257,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -243,11 +276,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -269,7 +297,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -279,11 +316,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -305,7 +337,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -315,11 +356,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -341,7 +377,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -351,11 +396,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -377,7 +417,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -387,11 +436,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -413,7 +457,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -423,11 +476,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -449,7 +497,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -459,11 +516,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -485,7 +537,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -495,11 +556,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -521,7 +577,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -531,11 +596,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -557,7 +617,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -567,11 +636,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -593,7 +657,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -603,11 +676,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -629,7 +697,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -639,11 +716,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -665,7 +737,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -675,11 +756,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -701,7 +777,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -711,11 +796,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -737,7 +817,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -747,11 +836,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -773,7 +857,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -783,11 +876,6 @@ "process": { "name": "ActionQueueScrape.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -809,7 +897,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -819,11 +916,6 @@ "process": { "name": "ActionQueueScrape.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -845,7 +937,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -855,11 +956,6 @@ "process": { "name": "ActionQueueScrape.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -881,7 +977,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -891,11 +996,6 @@ "process": { "name": "ActionQueueScrape.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -917,7 +1017,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -927,11 +1036,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -953,7 +1057,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -963,11 +1076,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -989,7 +1097,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -999,11 +1116,6 @@ "process": { "name": "sfdccsm" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -1025,7 +1137,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -1035,11 +1156,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -1061,7 +1177,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -1071,11 +1196,6 @@ "process": { "name": "index.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -1097,7 +1217,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -1107,11 +1236,6 @@ "process": { "name": "mojo_server.pl" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -1133,7 +1257,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -1143,11 +1276,6 @@ "process": { "name": "platformSettingEdit.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] @@ -1169,7 +1297,16 @@ "name": "siem-management" }, "log": { - "level": "debug" + "level": "debug", + "syslog": { + "facility": { + "code": 1 + }, + "priority": 14, + "severity": { + "code": 6 + } + } }, "observer": { "product": "ftd", @@ -1179,17 +1316,11 @@ "process": { "name": "platformSettingEdit.cgi" }, - "syslog": { - "facility": { - "code": 14 - } - }, "tags": [ "preserve_original_event" ] }, { - "@timestamp": "2019-08-14T14:02:38.000Z", "cisco": { "ftd": { "security": {} @@ -1203,9 +1334,6 @@ "original": "\u003c14.2\u003eAug 14 2019 14:02:38 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, Devices \u003e Platform Settings \u003e Audit Log Settings \u003e Modified: Send Audit Log to Syslog enabled \u003e Disabled", "severity": 7 }, - "host": { - "name": "siem-management" - }, "log": { "level": "debug" }, @@ -1215,13 +1343,7 @@ "vendor": "Cisco" }, "process": { - "name": "platformSettingEdit.cgi" - }, - "syslog": { - "facility": { - "code": 14 - }, - "priority": 2 + "name": "\u003c14.2\u003eAug" }, "tags": [ "preserve_original_event" diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json index e27b534470d..b125fcf1514 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-not-ip.log-expected.json @@ -45,7 +45,16 @@ ] }, "log": { - "level": "notification" + "level": "notification", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 165, + "severity": { + "code": 5 + } + } }, "network": { "iana_number": "6", @@ -79,11 +88,6 @@ "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244", "port": 27218 }, - "syslog": { - "facility": { - "code": 165 - } - }, "tags": [ "preserve_original_event" ] diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json index 7ecbe1e85f8..b1e93d65189 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-security-file-malware.log-expected.json @@ -1191,7 +1191,16 @@ "size": 7179 }, "log": { - "level": "alert" + "level": "alert", + "syslog": { + "facility": { + "code": 14 + }, + "priority": 113, + "severity": { + "code": 1 + } + } }, "network": { "application": [ @@ -1224,11 +1233,6 @@ "ip": "172.16.0.2", "port": 65000 }, - "syslog": { - "facility": { - "code": 113 - } - }, "tags": [ "preserve_original_event" ], diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 51dd1fc502a..38be2543cbc 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -19,7 +19,7 @@ processors: - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" pattern_definitions: SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" - SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.priority:int}>" # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" @@ -28,6 +28,17 @@ processors: # exactly match the syntax for firepower management logs PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + - script: + lang: painless + source: | + if (ctx.log?.syslog?.priority != null) { + def severity = new HashMap(); + severity['code'] = ctx.log.syslog.priority&0x7; + ctx.log.syslog['severity'] = severity; + def facility = new HashMap(); + facility['code'] = ctx.log.syslog.priority>>3; + ctx.log.syslog['facility'] = facility; + } # # Parse FTD/ASA style message diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml index 63bbe0f7fa4..ba804f8da32 100644 --- a/packages/cisco_ftd/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ftd/data_stream/log/fields/ecs.yml @@ -102,6 +102,12 @@ name: log.file.path - external: ecs name: log.level +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.severity.code - external: ecs name: message - external: ecs diff --git a/packages/cisco_ftd/data_stream/log/fields/fields.yml b/packages/cisco_ftd/data_stream/log/fields/fields.yml index cd3a6b2e3ab..26b46deb169 100644 --- a/packages/cisco_ftd/data_stream/log/fields/fields.yml +++ b/packages/cisco_ftd/data_stream/log/fields/fields.yml @@ -147,9 +147,3 @@ type: keyword description: |- AAA name of user requesting termination -- name: syslog.facility.code - type: long - description: Syslog numeric facility of the event. -- name: syslog.priority - type: long - description: Syslog priority of the event. diff --git a/packages/cisco_ftd/data_stream/log/sample_event.json b/packages/cisco_ftd/data_stream/log/sample_event.json index f4b4c4b0655..161d408ca21 100644 --- a/packages/cisco_ftd/data_stream/log/sample_event.json +++ b/packages/cisco_ftd/data_stream/log/sample_event.json @@ -1,12 +1,11 @@ { "@timestamp": "2019-08-16T09:39:03.000Z", "agent": { - "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102", - "hostname": "docker-fleet-agent", - "id": "43265318-62cb-431d-b8c2-c36438978d88", + "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751", + "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.2.0" }, "cisco": { "ftd": { @@ -64,9 +63,9 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "43265318-62cb-431d-b8c2-c36438978d88", + "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", "snapshot": false, - "version": "7.17.0" + "version": "8.2.0" }, "event": { "action": "malware-detected", @@ -77,9 +76,9 @@ ], "code": "430005", "dataset": "cisco_ftd.log", - "ingested": "2022-04-11T08:03:35Z", + "ingested": "2022-06-22T01:38:18Z", "kind": "event", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "severity": 1, "start": "2019-08-16T09:39:02Z", "timezone": "+00:00", @@ -98,12 +97,12 @@ "hostname": "firepower" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "level": "alert", "source": { - "address": "172.21.0.4:50821" + "address": "172.31.0.6:55524" } }, "network": { @@ -114,8 +113,8 @@ }, "observer": { "hostname": "firepower", - "product": "asa", - "type": "firewall", + "product": "ftd", + "type": "idps", "vendor": "Cisco" }, "related": { diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index acde41953a9..0e50692c489 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -22,12 +22,11 @@ An example event for `log` looks as following: { "@timestamp": "2019-08-16T09:39:03.000Z", "agent": { - "ephemeral_id": "dc7057b3-a7ae-4c27-9c9c-8de003cda102", - "hostname": "docker-fleet-agent", - "id": "43265318-62cb-431d-b8c2-c36438978d88", + "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751", + "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.17.0" + "version": "8.2.0" }, "cisco": { "ftd": { @@ -85,9 +84,9 @@ An example event for `log` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "43265318-62cb-431d-b8c2-c36438978d88", + "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1", "snapshot": false, - "version": "7.17.0" + "version": "8.2.0" }, "event": { "action": "malware-detected", @@ -98,9 +97,9 @@ An example event for `log` looks as following: ], "code": "430005", "dataset": "cisco_ftd.log", - "ingested": "2022-04-11T08:03:35Z", + "ingested": "2022-06-22T01:38:18Z", "kind": "event", - "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", "severity": 1, "start": "2019-08-16T09:39:02Z", "timezone": "+00:00", @@ -119,12 +118,12 @@ An example event for `log` looks as following: "hostname": "firepower" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "level": "alert", "source": { - "address": "172.21.0.4:50821" + "address": "172.31.0.6:55524" } }, "network": { @@ -135,8 +134,8 @@ An example event for `log` looks as following: }, "observer": { "hostname": "firepower", - "product": "asa", - "type": "firewall", + "product": "ftd", + "type": "idps", "vendor": "Cisco" }, "related": { @@ -182,7 +181,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| @timestamp | Event timestamp. | date | | cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | | cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | @@ -313,6 +312,9 @@ An example event for `log` looks as following: | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | @@ -369,8 +371,6 @@ An example event for `log` looks as following: | source.port | Port of the source. | long | | source.user.name | Short name or login of the user. | keyword | | source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| syslog.facility.code | Syslog numeric facility of the event. | long | -| syslog.priority | Syslog priority of the event. | long | | tags | List of keywords used to tag each event. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index 271de485edf..4cef366ed14 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco_ftd title: Cisco FTD -version: 2.2.1 +version: 2.2.2 license: basic description: Collect logs from Cisco FTD with Elastic Agent. type: integration