logstash-input-sdee 0.7.6 → 0.7.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +2 -0
- data/DEVELOPER.md +2 -0
- data/Gemfile +2 -1
- data/lib/logstash/inputs/sdee.rb +2 -2
- data/logstash-input-sdee.gemspec +20 -15
- data/spec/inputs/sdee_spec.rb +11 -0
- metadata +40 -26
- data/examples/10-inputs.conf +0 -29
- data/examples/20-filter.conf +0 -56
- data/examples/30-outputs.conf +0 -5
- data/examples/dict/cisco.facility.yaml +0 -82
- data/examples/patterns/cisco +0 -133
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c60cdea95b9dfa2fbda788c2b4d77bb86fb0a566
|
4
|
+
data.tar.gz: 0b8e30d80123b765e3373686518708fe2a3c29cc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0ca5fba5f3d0f9621913e5fcb36b5696e60677127027156f79a730058806780a1d7679cff8e4c52100416d5d2781ccd0303e108c4b214737b0645d0bfe6a41da
|
7
|
+
data.tar.gz: 8e7df7b885a0155bde73c74ab952506cc22b743d6b535123704f279671a9c4f347a4fccdb6b01d5f8fe2b46df77dbba44655ac5188f39b758126e3a58da4e34d
|
data/CHANGELOG.md
CHANGED
data/DEVELOPER.md
ADDED
data/Gemfile
CHANGED
data/lib/logstash/inputs/sdee.rb
CHANGED
@@ -234,7 +234,7 @@ class LogStash::Inputs::SDEE < LogStash::Inputs::Base
|
|
234
234
|
|
235
235
|
# This is also in the metadata, but we send it anyone because we want this
|
236
236
|
# persisted by default, whereas metadata isn't. People don't like mysterious errors
|
237
|
-
event[
|
237
|
+
event.set("[sdee_failure]") = {
|
238
238
|
"request" => structure_request(request),
|
239
239
|
"error" => exception.to_s,
|
240
240
|
"backtrace" => exception.backtrace,
|
@@ -254,7 +254,7 @@ class LogStash::Inputs::SDEE < LogStash::Inputs::Base
|
|
254
254
|
private
|
255
255
|
def apply_metadata(event, request, response=nil, execution_time=nil)
|
256
256
|
#return unless @metadata_target
|
257
|
-
event[@metadata_target] = event_metadata(request, response, execution_time)
|
257
|
+
event.set("[@metadata_target]") = event_metadata(request, response, execution_time)
|
258
258
|
end
|
259
259
|
|
260
260
|
private
|
data/logstash-input-sdee.gemspec
CHANGED
@@ -1,21 +1,26 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
|
-
s.name
|
3
|
-
s.version
|
4
|
-
s.
|
5
|
-
s.summary
|
6
|
-
s.description
|
7
|
-
s.
|
8
|
-
s.
|
2
|
+
s.name = 'logstash-input-sdee'
|
3
|
+
s.version = '0.7.7'
|
4
|
+
s.licenses = ['Apache License (2.0)']
|
5
|
+
s.summary = 'Logstah SDEE input from Cisco ASA'
|
6
|
+
s.description = 'This Logstash input plugin allows you to call a Cisco SDEE/CIDEE HTTP API, decode the output of it into event(s), and send them on their merry way.'
|
7
|
+
s.homepage = 'http://rubygems.org/gems/logstash-input-sdee'
|
8
|
+
s.authors = ['rootik']
|
9
|
+
s.email = 'roootik@gmail.com'
|
9
10
|
s.require_paths = ['lib']
|
10
11
|
|
11
|
-
|
12
|
-
s.
|
13
|
-
|
14
|
-
s.
|
15
|
-
|
12
|
+
# Files
|
13
|
+
s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
|
14
|
+
# Tests
|
15
|
+
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
16
|
+
|
17
|
+
# Special flag to let us know this is actually a logstash plugin
|
16
18
|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
|
17
|
-
|
18
|
-
|
19
|
+
|
20
|
+
# Gem dependencies
|
21
|
+
s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
|
22
|
+
s.add_runtime_dependency 'logstash-codec-plain'
|
23
|
+
s.add_runtime_dependency 'stud', '>= 0.0.22'
|
24
|
+
s.add_development_dependency 'logstash-devutils', '>= 0.0.16'
|
19
25
|
s.add_runtime_dependency 'logstash-mixin-http_client', '>= 1.0.0', '<= 6.0.0'
|
20
|
-
# s.add_runtime_dependency 'rubysl-rexml', '>= 2.0.0', '<= 3.0.0'
|
21
26
|
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "logstash/devutils/rspec/spec_helper"
|
3
|
+
require "logstash/inputs/logstash-input-sdee"
|
4
|
+
|
5
|
+
describe LogStash::Inputs::SDEE do
|
6
|
+
|
7
|
+
it_behaves_like "an interruptible input plugin" do
|
8
|
+
let(:config) { { "interval" => 100 } }
|
9
|
+
end
|
10
|
+
|
11
|
+
end
|
metadata
CHANGED
@@ -1,55 +1,71 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-sdee
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.7.
|
4
|
+
version: 0.7.7
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- rootik
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-03-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
name: logstash-core
|
14
|
+
name: logstash-core-plugin-api
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- - "
|
18
|
-
- !ruby/object:Gem::Version
|
19
|
-
version: 1.4.0
|
20
|
-
- - "<="
|
17
|
+
- - "~>"
|
21
18
|
- !ruby/object:Gem::Version
|
22
|
-
version: '2.
|
19
|
+
version: '2.0'
|
23
20
|
type: :runtime
|
24
21
|
prerelease: false
|
25
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '2.0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: logstash-codec-plain
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
26
30
|
requirements:
|
27
31
|
- - ">="
|
28
32
|
- !ruby/object:Gem::Version
|
29
|
-
version:
|
30
|
-
|
33
|
+
version: '0'
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
31
39
|
- !ruby/object:Gem::Version
|
32
|
-
version: '
|
40
|
+
version: '0'
|
33
41
|
- !ruby/object:Gem::Dependency
|
34
|
-
name:
|
42
|
+
name: stud
|
35
43
|
requirement: !ruby/object:Gem::Requirement
|
36
44
|
requirements:
|
37
45
|
- - ">="
|
38
46
|
- !ruby/object:Gem::Version
|
39
|
-
version:
|
40
|
-
- - "<="
|
41
|
-
- !ruby/object:Gem::Version
|
42
|
-
version: '2.99'
|
47
|
+
version: 0.0.22
|
43
48
|
type: :runtime
|
44
49
|
prerelease: false
|
45
50
|
version_requirements: !ruby/object:Gem::Requirement
|
46
51
|
requirements:
|
47
52
|
- - ">="
|
48
53
|
- !ruby/object:Gem::Version
|
49
|
-
version:
|
50
|
-
|
54
|
+
version: 0.0.22
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: logstash-devutils
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: 0.0.16
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
51
67
|
- !ruby/object:Gem::Version
|
52
|
-
version:
|
68
|
+
version: 0.0.16
|
53
69
|
- !ruby/object:Gem::Dependency
|
54
70
|
name: logstash-mixin-http_client
|
55
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -79,19 +95,16 @@ extra_rdoc_files: []
|
|
79
95
|
files:
|
80
96
|
- CHANGELOG.md
|
81
97
|
- CONTRIBUTORS
|
98
|
+
- DEVELOPER.md
|
82
99
|
- Gemfile
|
83
100
|
- LICENSE
|
84
101
|
- README.md
|
85
|
-
- examples/10-inputs.conf
|
86
|
-
- examples/20-filter.conf
|
87
|
-
- examples/30-outputs.conf
|
88
|
-
- examples/dict/cisco.facility.yaml
|
89
|
-
- examples/patterns/cisco
|
90
102
|
- lib/logstash/inputs/sdee.rb
|
91
103
|
- logstash-input-sdee.gemspec
|
104
|
+
- spec/inputs/sdee_spec.rb
|
92
105
|
homepage: http://rubygems.org/gems/logstash-input-sdee
|
93
106
|
licenses:
|
94
|
-
- Apache
|
107
|
+
- Apache License (2.0)
|
95
108
|
metadata:
|
96
109
|
logstash_plugin: 'true'
|
97
110
|
logstash_group: input
|
@@ -115,4 +128,5 @@ rubygems_version: 2.6.6
|
|
115
128
|
signing_key:
|
116
129
|
specification_version: 4
|
117
130
|
summary: Logstah SDEE input from Cisco ASA
|
118
|
-
test_files:
|
131
|
+
test_files:
|
132
|
+
- spec/inputs/sdee_spec.rb
|
data/examples/10-inputs.conf
DELETED
@@ -1,29 +0,0 @@
|
|
1
|
-
input {
|
2
|
-
|
3
|
-
sdee {
|
4
|
-
type => "sdee"
|
5
|
-
interval => 60
|
6
|
-
http => {
|
7
|
-
url => "http://ciscoips1"
|
8
|
-
auth => {
|
9
|
-
user => "cisco"
|
10
|
-
password => "p@ssw0rd"
|
11
|
-
}
|
12
|
-
}
|
13
|
-
}
|
14
|
-
|
15
|
-
sdee {
|
16
|
-
type => "sdee"
|
17
|
-
interval => 60
|
18
|
-
http => {
|
19
|
-
url => "https://ciscoips2"
|
20
|
-
# do not forget, you must add your device or CA certificate to Java trustStore. See README.md
|
21
|
-
truststore_password => "changeit"
|
22
|
-
auth => {
|
23
|
-
user => "cisco"
|
24
|
-
password => "p@ssw0rd"
|
25
|
-
}
|
26
|
-
}
|
27
|
-
}
|
28
|
-
|
29
|
-
}
|
data/examples/20-filter.conf
DELETED
@@ -1,56 +0,0 @@
|
|
1
|
-
filter {
|
2
|
-
if ([type] and ([type] == "syslog-relay") and !("_grokparsefailure" in [tags]) and !("pre-processed" in [tags])) {
|
3
|
-
grok {
|
4
|
-
match => {
|
5
|
-
"message" => "%{GREEDYDATA:cisco_message}"
|
6
|
-
}
|
7
|
-
add_tag => [ "parser_begin" ]
|
8
|
-
}
|
9
|
-
grok {
|
10
|
-
patterns_dir => [ "/etc/logstash/patterns" ]
|
11
|
-
match => {
|
12
|
-
"message" => "%{CTIMESTAMP}( %{SYSLOGHOST:host})? (?:%{INT:sequence}: %{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}\.[0-9]+: )%{GREEDYDATA:message}"
|
13
|
-
}
|
14
|
-
overwrite => [ "message" ]
|
15
|
-
add_tag => [ "pre-processed" ]
|
16
|
-
add_field => {
|
17
|
-
"vendor" => "Cisco"
|
18
|
-
"device" => "SW or Router"
|
19
|
-
}
|
20
|
-
}
|
21
|
-
grok {
|
22
|
-
patterns_dir => [ "/etc/logstash/patterns" ]
|
23
|
-
match => {
|
24
|
-
"message" => "%{CISCO_TAG}: %{GREEDYDATA:message}"
|
25
|
-
}
|
26
|
-
overwrite => [ "message" ]
|
27
|
-
}
|
28
|
-
if [cisco_facility] {
|
29
|
-
translate {
|
30
|
-
field => "cisco_facility"
|
31
|
-
destination => "facility"
|
32
|
-
dictionary_path => [ "/etc/logstash/dict/cisco.facility.yaml" ]
|
33
|
-
override => true
|
34
|
-
remove_field => [cisco_facility]
|
35
|
-
}
|
36
|
-
}
|
37
|
-
if [cisco_severity] {
|
38
|
-
translate {
|
39
|
-
field => "cisco_severity"
|
40
|
-
destination => "severity"
|
41
|
-
dictionary => [
|
42
|
-
"0", "Emergency",
|
43
|
-
"1", "Alert",
|
44
|
-
"2", "Critical",
|
45
|
-
"3", "Error",
|
46
|
-
"4", "Warning",
|
47
|
-
"5", "Notification",
|
48
|
-
"6", "Informational",
|
49
|
-
"7", "Debugging" ]
|
50
|
-
override => true
|
51
|
-
remove_field => [cisco_severity]
|
52
|
-
}
|
53
|
-
}
|
54
|
-
|
55
|
-
}
|
56
|
-
}
|
data/examples/30-outputs.conf
DELETED
@@ -1,82 +0,0 @@
|
|
1
|
-
AUTHMGR: Authentication manager
|
2
|
-
ACLMGR: ACL manager
|
3
|
-
BACKUP_INTERFACE: Flex Links
|
4
|
-
BADTRANSCEIVER: Defective transceiver
|
5
|
-
BSPATCH: Boot loader patch
|
6
|
-
CFGMGR: Configuration manager
|
7
|
-
CLS_ACC: Consoleless access
|
8
|
-
CMP: Cluster Membership Protocol
|
9
|
-
DHCP_SNOOPING: DHCP snooping
|
10
|
-
DOT1X: 802.1x
|
11
|
-
DOT1X_SWITCH: 802.1x for switches
|
12
|
-
DTP: Dynamic Trunking Protocol
|
13
|
-
DWL: Down-when-looped
|
14
|
-
EC: EtherChannel
|
15
|
-
ENVIRONMENT: Environment Messages
|
16
|
-
EPM: Enforcement Policy Module
|
17
|
-
ETHCNTR: Ethernet controller
|
18
|
-
EXPRESS_SETUP: Express Setup
|
19
|
-
FRNTEND_CTRLR: Front-end controller
|
20
|
-
GBIC_SECURITY: GBIC and SFP module security
|
21
|
-
GBIC_SECURITY_CRYPT: GBIC and SFP module security
|
22
|
-
GBIC_SECURITY_UNIQUE: GBIC and SFP module security
|
23
|
-
HARDWARE: Hardware
|
24
|
-
LFM: Local forwarding manager
|
25
|
-
HPSECURE: Port security
|
26
|
-
HULC_LICENSE: Licensing
|
27
|
-
IFMGR: Interface manager
|
28
|
-
IGMP_QUERIER: IGMP querier
|
29
|
-
ILET: Cisco IOS License Enforcement Test
|
30
|
-
ILPOWER: PoE
|
31
|
-
IMAGEMGR: Image manager
|
32
|
-
IP: Internet Protocol
|
33
|
-
IP_DEVICE_TRACKING: IP device tracking
|
34
|
-
KEYMAN: Keyman Messages
|
35
|
-
MAC_MOVE: Host activity
|
36
|
-
PAGP: Port Aggregation Protocol
|
37
|
-
PHY: PHY
|
38
|
-
PIMSN: PIM snooping
|
39
|
-
PLATFORM: Low-level platform-specific
|
40
|
-
PLATFORM_SM10G: Platform FRULink 10G Service Module
|
41
|
-
PLATFORM_ENV: Platform environment
|
42
|
-
PLATFORM_FBM: Platform fallback bridging manager
|
43
|
-
PLATFORM_HCEF: Cisco Express Forwarding
|
44
|
-
PLATFORM_HPLM: Platform pseudo-label manager
|
45
|
-
PLATFORM_IPC: Platform Interprocess Communication Protocol
|
46
|
-
PLATFORM_IPv6_UCAST: IP Version 6 Unicast
|
47
|
-
PLATFORM_PBR: Platform policy-based routing
|
48
|
-
PLATFORM_PM: Platform port manager
|
49
|
-
PLATFORM_RPC: Platform remote procedure call
|
50
|
-
PLATFORM_SPAN: Platform switched port analyzer
|
51
|
-
PLATFORM_STACKPOWER: Platform stack power
|
52
|
-
PLATFORM_UCAST: Platform unicast routing
|
53
|
-
PLATFORM_VLAN: Platform VLAN
|
54
|
-
PLATFORM_WCCP: Platform WCCP
|
55
|
-
PM: Port manager
|
56
|
-
PORT_SECURITY: Port security
|
57
|
-
POWERNET_ISSU: EnergyWise domain
|
58
|
-
PT: Protocol tunneling
|
59
|
-
QOSMGR: QoS manager
|
60
|
-
RMON: Remote Network Monitoring (RMON)
|
61
|
-
SCHED: Schedule
|
62
|
-
SDM: Switch Database Manager
|
63
|
-
SESA: SESA
|
64
|
-
SPAN: Switched port analyzer
|
65
|
-
SPANTREE: Spanning tree
|
66
|
-
SPANTREE_FAST: Spanning-tree fast convergence
|
67
|
-
SPANTREE_VLAN_SW: Spanning-tree VLAN switch
|
68
|
-
STACKMGR: Stack manager
|
69
|
-
STORM_CONTROL: Storm control
|
70
|
-
SUPERVISOR: Supervisor ASIC
|
71
|
-
SUPQ: Supervisor queue
|
72
|
-
SW_DAI: Dynamic ARP inspection
|
73
|
-
SW_MACAUTH: MAC address authentication
|
74
|
-
SW_MATM: MAC address table manager
|
75
|
-
SW_VLAN: VLAN manager
|
76
|
-
SW_QOS_TB: QoS trusted boundary
|
77
|
-
TCAMMGR: Ternary content addressable memory manager
|
78
|
-
UDLD: UniDirectional Link Detection
|
79
|
-
UFAST_MCAST_SW: UplinkFast packet transmission
|
80
|
-
VLMAPLOG: VLAN Access Map Logs
|
81
|
-
VQPCLIENT: VLAN Query Protocol client
|
82
|
-
WCCP: WCCP
|
data/examples/patterns/cisco
DELETED
@@ -1,133 +0,0 @@
|
|
1
|
-
#== Cisco ASA ==
|
2
|
-
HOSTNAME \b(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62})(?:\.(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62}))*(\.?|\b)
|
3
|
-
CTIMESTAMP %{YEAR}-%{MONTHNUM2}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})(?:\.[0-9]+)?%{ISO8601_TIMEZONE}
|
4
|
-
CISCO_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_TAG:ciscotag}:
|
5
|
-
CISCO_ASA_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_ASA_TAG:ciscotag}:
|
6
|
-
CISCO_CLASS [0-9]{3}
|
7
|
-
CISCO_STRUC [A-Z0-9_]+
|
8
|
-
CISCO_TAG %{CISCO_STRUC:cisco_facility}-%{INT:cisco_severity}-%{CISCO_STRUC:cisco_mnemonic}|WLC[0-9]+
|
9
|
-
CISCO_ASA_TAG %[A-Z0-9_]+-%{INT:cisco_severity}-%{CISCO_CLASS:cisco_class}[0-9]{3}
|
10
|
-
# Common Particles
|
11
|
-
CISCO_ASA_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|received|denied by ACL|discarded|est-allowed|Dropping|dropping|created|deleted|SENDING|RECEIVED|monitored|dropped|terminated|Rejected
|
12
|
-
CISCO_ASA_REASON AAA failure|Duplicate TCP SYN|TCP Reset\-O|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
|
13
|
-
CISCO_ASA_DIRECTION Inbound|inbound|Outbound|outbound
|
14
|
-
CISCO_ASA_INTERVAL first hit|%{INT}-second interval
|
15
|
-
CISCO_ASA_XLATE_TYPE static|dynamic
|
16
|
-
# ASA-2-106001
|
17
|
-
CISCOASA106001 %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} connection %{DATA:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
|
18
|
-
# ASA-2-106006, ASA-2-106007, ASA-2-106010
|
19
|
-
CISCOASA106006_106007_106010 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_user}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_user}\))? (?:on interface %{DATA:interface}|due to %{CISCO_ASA_REASON:reason})
|
20
|
-
# ASA-3-106014
|
21
|
-
CISCOASA106014 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_user}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)
|
22
|
-
# ASA-6-106015
|
23
|
-
CISCOASA106015 %{CISCO_ASA_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IPORHOST:src_ip}/%{INT:src_port} to %{IPORHOST:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}
|
24
|
-
# ASA-1-106021
|
25
|
-
CISCOASA106021 %{CISCO_ASA_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
|
26
|
-
# ASA-4-106023
|
27
|
-
CISCOASA106023 %{CISCO_ASA_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_user}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "%{DATA:policy_id}" \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
|
28
|
-
# ASA-5-106100
|
29
|
-
CISCOASA106100 access-list %{WORD:policy_id} %{CISCO_ASA_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_user}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:dst_user}\))? hit-cnt %{INT:hit_count} %{CISCO_ASA_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
|
30
|
-
# ASA-6-110002
|
31
|
-
CISCOASA110002 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
|
32
|
-
# ASA-5-111008
|
33
|
-
CISCOASA111008 User '%{DATA:user}' executed the '%{GREEDYDATA:cmd}' command\.
|
34
|
-
# ASA-7-111009
|
35
|
-
CISCOASA111009 User '%{DATA:user}' executed cmd: %{GREEDYDATA:cmd}
|
36
|
-
# ASA-5-111010
|
37
|
-
CISCOASA111010 User '%{DATA:user}', running '%{WORD:service}' from IP %{IPORHOST:src_ip}, executed '%{GREEDYDATA:cmd}'
|
38
|
-
# ASA-6-113004
|
39
|
-
CISCOASA113004 AAA user authentication Successful : server = \s*%{IPORHOST:server} : user = %{DATA:user}
|
40
|
-
# ASA-6-113005
|
41
|
-
CISCOASA113005 AAA user authentication %{CISCO_ASA_ACTION:action} : reason = %{CISCO_ASA_REASON} : server = %{IPORHOST:server} : user = %{DATA:user} : user IP = %{IP:src_ip}
|
42
|
-
# ASA-6-113008
|
43
|
-
CISCOASA113008 AAA transaction status ACCEPT : user = %{DATA:user}
|
44
|
-
# ASA-6-113009
|
45
|
-
CISCOASA113009 AAA retrieved default group policy \(%{DATA:policy}\) for user = %{DATA:user}
|
46
|
-
# ASA-6-302004
|
47
|
-
CISCOASA302004 Pre-allocate %{DATA:protocol} backconnection for faddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})? to laddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})?
|
48
|
-
# ASA-6-302010
|
49
|
-
CISCOASA302010 %{INT:connection_count} in use, %{INT:connection_count_max} most used
|
50
|
-
# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
|
51
|
-
CISCOASA302013_302014_302015_302016 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port}( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_user}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port}( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_user}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_ASA_REASON:reason})?( \(%{DATA:user}\))?
|
52
|
-
# ASA-6-302020, ASA-6-302021
|
53
|
-
CISCOASA302020_302021 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IPORHOST:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:user}\))? gaddr %{IPORHOST:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IPORHOST:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))?
|
54
|
-
# ASA-6-303002
|
55
|
-
CISCOASA303002 FTP connection from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?, user %{DATA:user} %{WORD:action} file %{DATA:filename}
|
56
|
-
# ASA-3-305006
|
57
|
-
CISCOASA305006 regular translation creation failed for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(?: \(type %{INT:icmp_type}, code %{INT:icmp_code}\))?
|
58
|
-
# ASA-6-305011
|
59
|
-
CISCOASA305011 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? to %{DATA:src_xlated_interface}:%{IPORHOST:src_xlated_ip}/%{DATA:src_xlated_port}
|
60
|
-
# ASA-5-305013
|
61
|
-
CISCOASA305013 Asymmetric NAT rules matched for forward and reverse flows; Connection for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? %{CISCO_ASA_ACTION:action} due to NAT reverse path failure
|
62
|
-
# ASA-3-313001, ASA-3-313004, ASA-3-313008
|
63
|
-
CISCOASA313001_313004_313008 %{CISCO_ASA_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?
|
64
|
-
# ASA-4-313005
|
65
|
-
CISCOASA313005 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IPORHOST:err_src_ip}(\(%{DATA:err_src_user}\))? dst %{DATA:err_dst_interface}:%{IPORHOST:err_dst_ip}(\(%{DATA:err_dst_user}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src %{IPORHOST:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_user}\))? dst %{IPORHOST:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_user}\))?
|
66
|
-
# ASA-4-313004
|
67
|
-
#CISCOASA338004 Denied ICMP type=%{INT:icmp_type}, from laddr %{IPORHOST:src_ip} on interface %{DATA:src_interface} to %{IPORHOST:dst_ip}: no matching session
|
68
|
-
# ASA-4-338004, ASA-4-338008
|
69
|
-
CISCOASA338004_338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: %{IPORHOST:blacklisted_ip}/%{IPORHOST:blacklisted_netmask}, threat-level: %{DATA:threat_level}, category: %{DATA:category}
|
70
|
-
# ASA-4-338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: 221.204.186.0/255.255.255.0, threat-level: very-high, category: admin-added
|
71
|
-
# ASA-6-338304
|
72
|
-
CISCOASA338304 Successfully downloaded dynamic filter data file from updater server %{DATA:url}
|
73
|
-
# ASA-4-400013
|
74
|
-
CISCOASA400013 IDS:2003 ICMP redirect from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
|
75
|
-
# ASA-4-400028
|
76
|
-
CISCOASA400028 IDS:3042 TCP FIN only flags from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
|
77
|
-
# ASA-4-400037
|
78
|
-
CISCOASA400037 IDS:6053 DNS all records request from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
|
79
|
-
# ASA-4-402117
|
80
|
-
CISCOASA402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}
|
81
|
-
# ASA-4-402119
|
82
|
-
CISCOASA402119 %{WORD:protocol}: Received an %{WORD:orig_protocol} packet \(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip} \(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking
|
83
|
-
# ASA-4-405104
|
84
|
-
CISCOASA405104 %{WORD:protocol} message %{DATA:voip_message} received from %{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_ip}(/%{INT:dst_port})? before SETUP
|
85
|
-
# ASA-4-419001
|
86
|
-
CISCOASA419001 %{CISCO_ASA_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}
|
87
|
-
# ASA-4-419002
|
88
|
-
CISCOASA419002 %{CISCO_ASA_REASON:reason} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} with different initial sequence number
|
89
|
-
# ASA-4-500004
|
90
|
-
CISCOASA500004 %{CISCO_ASA_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
|
91
|
-
# ASA-5-502103
|
92
|
-
CISCOASA502103 User priv level changed: Uname: %{DATA:user} From: %{INT:from_level} To: %{INT:to_level}
|
93
|
-
# ASA-4-507003
|
94
|
-
CISCOASA507003 %{WORD:protocol} flow from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} %{CISCO_ASA_ACTION:action} by inspection engine, reason - %{DATA:reason}?\.
|
95
|
-
# ASA-6-602303, ASA-6-602304
|
96
|
-
CISCOASA602303_602304 %{WORD:protocol}: An %{CISCO_ASA_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ASA_ACTION:action}
|
97
|
-
# ASA-6-605005
|
98
|
-
CISCOASA605005 Login permitted from %{IPORHOST:src_ip}/%{INT:src_port} %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{WORD:dst_port} for user "%{DATA:user}"
|
99
|
-
# ASA-6-607001
|
100
|
-
CISCOASA607001 Pre-allocate %{GREEDYDATA:protocol} secondary channel for %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? from %{DATA:voip_message} message
|
101
|
-
# ASA-7-609001, ASA-7-609002
|
102
|
-
CISCOASA609001_609002 %{CISCO_ASA_ACTION:action} local-host %{DATA:src_interface}:%{IPORHOST:src_ip}(?: duration %{TIME:duration})?
|
103
|
-
# ASA-6-611101
|
104
|
-
CISCOASA611101 User authentication succeeded: Uname: %{DATA:user}
|
105
|
-
# ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006
|
106
|
-
CISCOASA710001_710002_710003_710005_710006_710007 %{WORD:protocol} (?:request|access|keepalive) %{CISCO_ASA_ACTION:action} from %{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{DATA:dst_port}
|
107
|
-
# ASA-6-713172
|
108
|
-
CISCOASA713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device
|
109
|
-
# ASA-7-713236
|
110
|
-
CISCOASA713236 IP = %{IPORHOST:src_ip}, IKE_DECODE %{CISCO_ASA_ACTION} Message \(msgid=%{DATA:msgid}\) with payloads : %{GREEDYDATA:payload} total length : %{INT:length}
|
111
|
-
# ASA-5-713257
|
112
|
-
CISCOASA713257 Phase %{DATA} failure: Mismatched attribute types for class %{DATA:vpn_class}: Rcv'd: %{DATA:vpn_rcvd} Cfg'd: %{DATA:vpn_cfgd}
|
113
|
-
# ASA-5-713904
|
114
|
-
CISCOASA713904 IP = %{IPORHOST:src_ip}, Received encrypted packet with no matching SA, %{CISCO_ASA_ACTION:action}
|
115
|
-
# ASA-7-713906
|
116
|
-
CISCOASA713906 IKE Receiver: Packet received on %{IPORHOST:dst_ip}:%{INT:dst_port} from %{IPORHOST:src_ip}:%{INT:src_port}
|
117
|
-
# ASA-7-715046
|
118
|
-
CISCOASA715036_715046_715047_715075 Group = %{GREEDYDATA:group},(?: Username = %{DATA:user},)? IP = %{IP:src_ip},%{GREEDYDATA:vpn_action}
|
119
|
-
# ASA-4-733100
|
120
|
-
CISCOASA733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}
|
121
|
-
# ASA-6-734001
|
122
|
-
CISCOASA734001 DAP: User %{DATA:user}, Addr %{IP:src_ip}, Connection %{DATA:protocol}: The following DAP records were selected for this connection: %{GREEDYDATA:policy_id}
|
123
|
-
# ASA-6-737006
|
124
|
-
CISCOASA737006 IPAA: Local pool request succeeded for tunnel-group '%{DATA:vpn_group}'
|
125
|
-
# ASA-6-737016
|
126
|
-
CISCOASA737016 IPAA: Freeing local pool address %{IP:src_ip}
|
127
|
-
# ASA-6-737026
|
128
|
-
CISCOASA737026 IPAA: Client assigned %{IP:src_ip} from local pool
|
129
|
-
# ASA-6-737029
|
130
|
-
CISCOASA737029 IPAA: Added %{IP:src_ip} to standby
|
131
|
-
# ASA-6-737031
|
132
|
-
CISCOASA737031 IPAA: Removed %{IP:src_ip} from standby
|
133
|
-
#== End Cisco ASA ==
|