Use NOTSPACE instead of IP in groks

This allows logs like this to parse %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)
elastic · Jan 13, 2021 · f70b89a · f70b89a
1 parent 6423fc2
commit f70b89a
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 66 deletions.
diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log
@@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/1
 Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Dec 11 2018 08:01:24 <IP>: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)
-Dec 11 2018 08:01:24 <IP>: %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)
 Dec 11 2018 08:01:24 <IP>: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:24 <IP>: %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:31 <IP>: %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)

diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
@@ -2049,7 +2049,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 6318,
+        "log.offset": 6138,
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "dmz",
@@ -2100,7 +2100,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 6468,
+        "log.offset": 6288,
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "dmz",
@@ -2153,7 +2153,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 6618,
+        "log.offset": 6438,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2209,7 +2209,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 6788,
+        "log.offset": 6608,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2265,7 +2265,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 6958,
+        "log.offset": 6778,
         "network.bytes": 14804,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2319,7 +2319,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7123,
+        "log.offset": 6943,
         "network.bytes": 134781,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2373,7 +2373,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7289,
+        "log.offset": 7109,
         "network.bytes": 134781,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2422,7 +2422,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7455,
+        "log.offset": 7275,
         "network.transport": "(no",
         "observer.egress.interface.name": "outside",
         "observer.product": "asa",
@@ -2468,7 +2468,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7597,
+        "log.offset": 7417,
         "network.transport": "(no",
         "observer.egress.interface.name": "outside",
         "observer.product": "asa",
@@ -2517,7 +2517,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 7739,
+        "log.offset": 7559,
         "network.iana_number": 17,
         "network.transport": "udp",
         "observer.egress.interface.name": "dmz",
@@ -2570,7 +2570,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 7890,
+        "log.offset": 7710,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2624,7 +2624,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 8064,
+        "log.offset": 7884,
         "network.direction": "outbound",
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2678,7 +2678,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 8238,
+        "log.offset": 8058,
         "network.bytes": 11420,
         "network.iana_number": 6,
         "network.transport": "tcp",
@@ -2732,7 +2732,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "informational",
-        "log.offset": 8403,
+        "log.offset": 8223,
         "network.bytes": 1416,
         "network.iana_number": 17,
         "network.transport": "udp",
@@ -2781,7 +2781,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8545,
+        "log.offset": 8365,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2829,7 +2829,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8666,
+        "log.offset": 8486,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2877,7 +2877,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8787,
+        "log.offset": 8607,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2925,7 +2925,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 8908,
+        "log.offset": 8728,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -2973,7 +2973,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9029,
+        "log.offset": 8849,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3021,7 +3021,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9150,
+        "log.offset": 8970,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3069,7 +3069,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9271,
+        "log.offset": 9091,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3117,7 +3117,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "critical",
-        "log.offset": 9393,
+        "log.offset": 9213,
         "observer.egress.interface.name": "Mobile_Traffic",
         "observer.hostname": "GIFRCHN01",
         "observer.product": "asa",
@@ -3168,7 +3168,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 9515,
+        "log.offset": 9335,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "outside",
@@ -3220,7 +3220,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "error",
-        "log.offset": 9669,
+        "log.offset": 9489,
         "network.iana_number": 1,
         "network.transport": "icmp",
         "observer.egress.interface.name": "Outside",
@@ -3269,7 +3269,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 9779,
+        "log.offset": 9599,
         "network.iana_number": 1,
         "network.transport": "icmp",
         "observer.egress.interface.name": "inside",
@@ -3322,7 +3322,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 9915,
+        "log.offset": 9735,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "inside",
@@ -3383,7 +3383,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 10166,
+        "log.offset": 9986,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "inside",
@@ -3440,7 +3440,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "warning",
-        "log.offset": 10465,
+        "log.offset": 10285,
         "network.iana_number": 6,
         "network.transport": "tcp",
         "observer.egress.interface.name": "inside",
@@ -3487,7 +3487,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 10762,
+        "log.offset": 10582,
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
@@ -3529,7 +3529,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 10839,
+        "log.offset": 10659,
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
@@ -3572,7 +3572,7 @@
         "input.type": "log",
         "log.file.path": "sample.log",
         "log.level": "notification",
-        "log.offset": 10931,
+        "log.offset": 10751,
         "observer.egress.interface.name": "inside",
         "observer.product": "asa",
         "observer.type": "firewall",

diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log b/x-pack/filebeat/module/cisco/ftd/test/sample.log
@@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/1
 Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0]
 Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80)
-Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)
 Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613]
 Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678)