Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat][Cisco ASA] log enhancement and performance #24744

Merged
merged 23 commits into from
Apr 19, 2021

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Mar 24, 2021

The revives #20831 which I didn't have edit permissions on.

What does this PR do?

This PR resolve some reported issues with ECS and Cisco ASA/FTD and is adding new message patterns.

Overview of the Changes:

  • Adding 15 new message pattern with dissect processor
434004
434002
713905
750002
750003
110002
419002
602304
602303
713120
713202
713901
713904
713906
713905
  • Fix parsing error not extracting event.outcome and network.transport from 106015
  • All other processors associated with the new message id's have been updated and extended
  • Further additional fields were derived from the logs
  • Changed event.outcome in script processor to ECS defined values.
  • Adding anchors to grok patterns with no conditional and to grok processors that using more than one pattern
  • Adding new event.action for user creation/deletion or bypass events
  • Fix 106014

Why is it important?

We think that these are one of the most used message types in Cisco ASA logs.
Adding the anchors increases the throughput/performance. It is described in more detail in this blog article https://www.elastic.co/blog/do-you-grok-grok. We need more event.actions for specific logs/events.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.
  • I have made corresponding changes to the documentation

Related issues

pcosic and others added 18 commits August 27, 2020 16:56
- Fixed some ECS issues

- added anchors on grok patterns for performance

- added messages:
-------------------------
434004
434002
713905
750002
750003
110002
419002
602304
602303
713120
713202
713901
713904
713906
713905
-------------------------

- with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type

- added set processor for adding outcome, action and protocol if necessary for the new messages
fix parsing error
and add enhancements
commit after running tests.
… space in between is optional in log message
This fixing finally 106014.
We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird.
NOTSPACE is not work in this case.
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Mar 24, 2021
@andrewkroh andrewkroh marked this pull request as ready for review March 24, 2021 18:48
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 24, 2021

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #24744 updated

  • Start Time: 2021-04-19T21:46:15.294+0000

  • Duration: 57 min 6 sec

  • Commit: 0b32165

Test stats 🧪

Test Results
Failed 0
Passed 6928
Skipped 1185
Total 8113

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 6928
Skipped 1185
Total 8113

@andrewkroh
Copy link
Member Author

jenkins, run tests

@mergify
Copy link
Contributor

mergify bot commented Apr 7, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b evoila-ingestCiscoMessagePattern upstream/evoila-ingestCiscoMessagePattern
git merge upstream/master
git push upstream evoila-ingestCiscoMessagePattern

Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh andrewkroh merged commit 226485b into elastic:master Apr 19, 2021
@andrewkroh andrewkroh added backport-v7.13.0 Automated backport with mergify needs_integration_sync Changes in this PR need synced to elastic/integrations. labels Apr 19, 2021
mergify bot pushed a commit that referenced this pull request Apr 19, 2021
* ecs fix - more message pattern

- Fixed some ECS issues

- added anchors on grok patterns for performance

- added messages:
-------------------------
434004
434002
713905
750002
750003
110002
419002
602304
602303
713120
713202
713901
713904
713906
713905
-------------------------

- with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type

- added set processor for adding outcome, action and protocol if necessary for the new messages

* Update asa-ftd-pipeline.yml

* Update asa-ftd-pipeline.yml

fix parsing error
and add enhancements

* Update asa-ftd-pipeline.yml

fix 602303

* testing for PR and some minor fixes

* commit for requested changes

* newline

* test

* make test commit

commit after running tests.

* Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message

* fixed 106014 finally

This fixing finally 106014.
We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird.
NOTSPACE is not work in this case.

* after test commit

* Test after merge

* Update generated

* Add changelog

* Undo meraki generated file changes

* Update generated

Co-authored-by: pcosic <[email protected]>
Co-authored-by: pcosic <[email protected]>
(cherry picked from commit 226485b)
v1v added a commit to v1v/beats that referenced this pull request Apr 20, 2021
…-github-pr-comment-template

* upstream/master:
  [Ingest Manager] Keep http and logging config during enroll (elastic#25132)
  Refactor kubernetes autodiscover to avoid skipping short-living pods (elastic#24742)
  [libbeat] New decode xml wineventlog processor (elastic#25115)
  Add svc to agent k8s clusterRole (elastic#25146)
  Add awsfargate module to collect container logs from Amazon ECS on Fargate (elastic#25041)
  [Filebeat][Cisco ASA] log enhancement and performance (elastic#24744)
  Watch kubernetes namespaces for autodiscover metadata for pods (elastic#25117)
  Cyberark Privileged Access Security module (elastic#24803)
  [Elastic Agent] Log the container command output with LOGS_PATH (elastic#25150)
  Fix for tests after `device...` field has been removed (elastic#25141)
  [Ingest Manager] Restart process on output change (elastic#24907)
  Set --insecure in container when FLEET_SERVER_ENABLE and FLEET_INSECURE set. (elastic#25137)
  [filebeat] Update documentation / changelog / beta warnings for the syslog input (elastic#25047)
  Add support for ignore_inactive in filestream input (elastic#25036)
  Fix bug with annotations dedot config on k8s not used (elastic#25111)
andrewkroh added a commit that referenced this pull request Apr 20, 2021
* ecs fix - more message pattern

- Fixed some ECS issues

- added anchors on grok patterns for performance

- added messages:
-------------------------
434004
434002
713905
750002
750003
110002
419002
602304
602303
713120
713202
713901
713904
713906
713905
-------------------------

- with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type

- added set processor for adding outcome, action and protocol if necessary for the new messages

* Update asa-ftd-pipeline.yml

* Update asa-ftd-pipeline.yml

fix parsing error
and add enhancements

* Update asa-ftd-pipeline.yml

fix 602303

* testing for PR and some minor fixes

* commit for requested changes

* newline

* test

* make test commit

commit after running tests.

* Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message

* fixed 106014 finally

This fixing finally 106014.
We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird.
NOTSPACE is not work in this case.

* after test commit

* Test after merge

* Update generated

* Add changelog

* Undo meraki generated file changes

* Update generated

Co-authored-by: pcosic <[email protected]>
Co-authored-by: pcosic <[email protected]>
(cherry picked from commit 226485b)
andrewkroh added a commit that referenced this pull request Apr 20, 2021
… (#25158)

* [Filebeat][Cisco ASA] log enhancement and performance (#24744)

* ecs fix - more message pattern

- Fixed some ECS issues

- added anchors on grok patterns for performance

- added messages:
-------------------------
434004
434002
713905
750002
750003
110002
419002
602304
602303
713120
713202
713901
713904
713906
713905
-------------------------

- with the messages pattern added also this commit add four new event action types in the script that mapped event actions to the event.kind/category/type

- added set processor for adding outcome, action and protocol if necessary for the new messages

* Update asa-ftd-pipeline.yml

* Update asa-ftd-pipeline.yml

fix parsing error
and add enhancements

* Update asa-ftd-pipeline.yml

fix 602303

* testing for PR and some minor fixes

* commit for requested changes

* newline

* test

* make test commit

commit after running tests.

* Fix parsing on 106014 with an additional ${SPACE} in grok pattern, so space in between is optional in log message

* fixed 106014 finally

This fixing finally 106014.
We have, afaik, two options. Use IPORHOST to not match '(type' or using '(?<destination.address>[^ (]*)' so we only dispense on space or '(' for the case destination.address is weird.
NOTSPACE is not work in this case.

* after test commit

* Test after merge

* Update generated

* Add changelog

* Undo meraki generated file changes

* Update generated

Co-authored-by: pcosic <[email protected]>
Co-authored-by: pcosic <[email protected]>
(cherry picked from commit 226485b)

* geoip updates

Co-authored-by: Andrew Kroh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v7.13.0 Automated backport with mergify bug enhancement Filebeat Filebeat needs_integration_sync Changes in this PR need synced to elastic/integrations.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants