elastic · efd6 · Jun 22, 2022 · Jun 21, 2022 · Jun 22, 2022
@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "2.4.2"
+  changes:
+    - description: Map syslog priority details according to ECS
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3549
+    - description: Extract syslog facility and severity codes from syslog priority
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3549
 - version: "2.4.1"
   changes:
     - description: Ensure invalid event.outcome does not get recorded in event

@@ -45,7 +45,16 @@
                 ]
             },
             "log": {
-                "level": "notification"
+                "level": "notification",
+                "syslog": {
+                    "facility": {
+                        "code": 20
+                    },
+                    "priority": 165,
+                    "severity": {
+                        "code": 5
+                    }
+                }
             },
             "network": {
                 "iana_number": "6",
@@ -79,11 +88,6 @@
                 "domain": "WHAT-IS-THIS-A-HOSTNAME-192.168.2.244",
                 "port": 27218
             },
-            "syslog": {
-                "facility": {
-                    "code": 165
-                }
-            },
             "tags": [
                 "preserve_original_event"
             ]

@@ -19,7 +19,7 @@ processors:
         - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}"
       pattern_definitions:
         SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?"
-        SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>"
+        SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.priority:int}>"
         # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424.
         FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})"
         ASA_DATE: "(?:%{DAY} )?%{MONTH}  *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?"
@@ -28,6 +28,17 @@ processors:
         # exactly match the syntax for firepower management logs
         PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})"
         HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?"
+  - script:
+      lang: painless
+      source: |
+        if (ctx.log?.syslog?.priority != null) {
+          def severity = new HashMap();
+          severity['code'] = ctx.log.syslog.priority&0x7;
+          ctx.log.syslog['severity'] = severity;
+          def facility = new HashMap();
+          facility['code'] = ctx.log.syslog.priority>>3;
+          ctx.log.syslog['facility'] = facility;
+        }
 
   #
   # Parse FTD/ASA style message

@@ -78,6 +78,12 @@
   name: log.file.path
 - external: ecs
   name: log.level
+- external: ecs
+  name: log.syslog.priority
+- external: ecs
+  name: log.syslog.facility.code
+- external: ecs
+  name: log.syslog.severity.code
 - external: ecs
   name: message
 - external: ecs

@@ -1,8 +1,8 @@
 {
     "@timestamp": "2018-10-10T12:34:56.000Z",
     "agent": {
-        "ephemeral_id": "20ad3c57-e3e6-4064-a346-d303aa6d401e",
-        "id": "adecf804-775a-4deb-8b7f-486ddc33b19e",
+        "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0",
+        "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
         "name": "docker-fleet-agent",
         "type": "filebeat",
         "version": "8.2.0"
@@ -27,7 +27,7 @@
         "version": "8.2.0"
     },
     "elastic_agent": {
-        "id": "adecf804-775a-4deb-8b7f-486ddc33b19e",
+        "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
         "snapshot": false,
         "version": "8.2.0"
     },
@@ -39,7 +39,7 @@
         ],
         "code": "305011",
         "dataset": "cisco_asa.log",
-        "ingested": "2022-05-16T01:09:09Z",
+        "ingested": "2022-06-21T10:34:19Z",
         "kind": "event",
         "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
         "severity": 6,
@@ -57,7 +57,7 @@
     "log": {
         "level": "informational",
         "source": {
-            "address": "192.168.160.4:44914"
+            "address": "192.168.208.4:52674"
         }
     },
     "network": {

@@ -17,8 +17,8 @@ An example event for `log` looks as following:
 {
     "@timestamp": "2018-10-10T12:34:56.000Z",
     "agent": {
-        "ephemeral_id": "20ad3c57-e3e6-4064-a346-d303aa6d401e",
-        "id": "adecf804-775a-4deb-8b7f-486ddc33b19e",
+        "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0",
+        "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
         "name": "docker-fleet-agent",
         "type": "filebeat",
         "version": "8.2.0"
@@ -43,7 +43,7 @@ An example event for `log` looks as following:
         "version": "8.2.0"
     },
     "elastic_agent": {
-        "id": "adecf804-775a-4deb-8b7f-486ddc33b19e",
+        "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
         "snapshot": false,
         "version": "8.2.0"
     },
@@ -55,7 +55,7 @@ An example event for `log` looks as following:
         ],
         "code": "305011",
         "dataset": "cisco_asa.log",
-        "ingested": "2022-05-16T01:09:09Z",
+        "ingested": "2022-06-21T10:34:19Z",
         "kind": "event",
         "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
         "severity": 6,
@@ -73,7 +73,7 @@ An example event for `log` looks as following:
     "log": {
         "level": "informational",
         "source": {
-            "address": "192.168.160.4:44914"
+            "address": "192.168.208.4:52674"
         }
     },
     "network": {
@@ -250,6 +250,9 @@ An example event for `log` looks as following:
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
 | log.offset | Offset of the entry in the log file. | long |
 | log.source.address | Source address from which the log event was read / sent from. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
 | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
 | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_asa
 title: Cisco ASA
-version: 2.4.1
+version: 2.4.2
 license: basic
 description: Collect logs from Cisco ASA with Elastic Agent.
 type: integration

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "2.2.2"
+  changes:
+    - description: Map syslog priority details according to ECS
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3549
+    - description: Extract syslog facility and severity codes from syslog priority
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3549
 - version: "2.2.1"
   changes:
     - description: Remove invalid values from ECS fields