[Filebeat][Cisco ASA] Observer/Host Mappings (7.10) #22128
Comments
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
5 tasks
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based on the test docs in the current 7.10 implementation there's an issue with population of host fields when the event is an observational event (e.g. not about the firewall itself)
Message IDs: 3*****
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0output shows:
"host.hostname":"SNL-ASA-VPN-A01"Unless the message is related to the firewall itself the module should only be populating the observer fields. (e.g. local login, vpn operations, etc., unfortunately there doesn't seem to be an easy way to determine from e.g. the message groups)
**appears to be affecting Firepower messages as well
The text was updated successfully, but these errors were encountered: