logstash-input-sdee 0.7.6 → 0.7.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +2 -0
  3. data/DEVELOPER.md +2 -0
  4. data/Gemfile +2 -1
  5. data/lib/logstash/inputs/sdee.rb +2 -2
  6. data/logstash-input-sdee.gemspec +20 -15
  7. data/spec/inputs/sdee_spec.rb +11 -0
  8. metadata +40 -26
  9. data/examples/10-inputs.conf +0 -29
  10. data/examples/20-filter.conf +0 -56
  11. data/examples/30-outputs.conf +0 -5
  12. data/examples/dict/cisco.facility.yaml +0 -82
  13. data/examples/patterns/cisco +0 -133
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 321e59b01dd51b2f566e9bcb308702381565348c
4
- data.tar.gz: 4047d3f10d2ae6cbf15b9072e5d3c601cb5c2270
3
+ metadata.gz: c60cdea95b9dfa2fbda788c2b4d77bb86fb0a566
4
+ data.tar.gz: 0b8e30d80123b765e3373686518708fe2a3c29cc
5
5
  SHA512:
6
- metadata.gz: 117fa7c3cda33593d981e7b7ef7d2cab20b3f3de6bb670f11e634660f1d34dd57625f126ae01aae2edcef857fcd8a3011f45222f294cb34c8bb384d37656d83c
7
- data.tar.gz: 464eb70ff8460ef30ae9dcdc4be411c33f6c0164c01bebb4efc6ee7d7850553425bb523332f0de217c5d5ff05e067c4f562511b2b95dcba0c9f8f9feef55f51f
6
+ metadata.gz: 0ca5fba5f3d0f9621913e5fcb36b5696e60677127027156f79a730058806780a1d7679cff8e4c52100416d5d2781ccd0303e108c4b214737b0645d0bfe6a41da
7
+ data.tar.gz: 8e7df7b885a0155bde73c74ab952506cc22b743d6b535123704f279671a9c4f347a4fccdb6b01d5f8fe2b46df77dbba44655ac5188f39b758126e3a58da4e34d
data/CHANGELOG.md CHANGED
@@ -1,3 +1,5 @@
1
+ * 0.7.7
2
+ - logstash 5.x plugin API
1
3
  * 0.7.1
2
4
  - something seriously broken in rubysl-rexml 2.0.4 gem
3
5
  it's trying to install without success even if already installed
data/DEVELOPER.md ADDED
@@ -0,0 +1,2 @@
1
+ # logstash-input-logstash-input-sdee-5.3
2
+ Example input plugin. This should help bootstrap your effort to write your own input plugin!
data/Gemfile CHANGED
@@ -1,2 +1,3 @@
1
1
  source 'https://rubygems.org'
2
- gemspec
2
+ gemspec
3
+
data/lib/logstash/inputs/sdee.rb CHANGED
@@ -234,7 +234,7 @@ class LogStash::Inputs::SDEE < LogStash::Inputs::Base
234
234
 
235
235
  # This is also in the metadata, but we send it anyone because we want this
236
236
  # persisted by default, whereas metadata isn't. People don't like mysterious errors
237
- event["sdee_failure"] = {
237
+ event.set("[sdee_failure]") = {
238
238
  "request" => structure_request(request),
239
239
  "error" => exception.to_s,
240
240
  "backtrace" => exception.backtrace,
@@ -254,7 +254,7 @@ class LogStash::Inputs::SDEE < LogStash::Inputs::Base
254
254
  private
255
255
  def apply_metadata(event, request, response=nil, execution_time=nil)
256
256
  #return unless @metadata_target
257
- event[@metadata_target] = event_metadata(request, response, execution_time)
257
+ event.set("[@metadata_target]") = event_metadata(request, response, execution_time)
258
258
  end
259
259
 
260
260
  private
data/logstash-input-sdee.gemspec CHANGED
@@ -1,21 +1,26 @@
1
1
  Gem::Specification.new do |s|
2
- s.name = 'logstash-input-sdee'
3
- s.version = '0.7.6'
4
- s.date = '2016-09-06'
5
- s.summary = "Logstah SDEE input from Cisco ASA"
6
- s.description = "This Logstash input plugin allows you to call a Cisco SDEE/CIDEE HTTP API, decode the output of it into event(s), and send them on their merry way."
7
- s.authors = ["rootik"]
8
- s.email = 'roootik@gmail.com'
2
+ s.name = 'logstash-input-sdee'
3
+ s.version = '0.7.7'
4
+ s.licenses = ['Apache License (2.0)']
5
+ s.summary = 'Logstah SDEE input from Cisco ASA'
6
+ s.description = 'This Logstash input plugin allows you to call a Cisco SDEE/CIDEE HTTP API, decode the output of it into event(s), and send them on their merry way.'
7
+ s.homepage = 'http://rubygems.org/gems/logstash-input-sdee'
8
+ s.authors = ['rootik']
9
+ s.email = 'roootik@gmail.com'
9
10
  s.require_paths = ['lib']
10
11
 
11
- s.files = Dir['lib/**/*', 'examples/**/*', '*.gemspec', 'LICENSE', 'Gemfile', 'README.md', 'CHANGELOG.md', 'CONTRIBUTORS']
12
- s.homepage =
13
- 'http://rubygems.org/gems/logstash-input-sdee'
14
- s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
15
- s.license = 'Apache-2.0'
12
+ # Files
13
+ s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
14
+ # Tests
15
+ s.test_files = s.files.grep(%r{^(test|spec|features)/})
16
+
17
+ # Special flag to let us know this is actually a logstash plugin
16
18
  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
17
- s.add_runtime_dependency 'logstash-core', '>= 1.4.0', '<= 2.99'
18
- s.add_runtime_dependency 'logstash-core-plugin-api', '>= 0.60', '<= 2.99'
19
+
20
+ # Gem dependencies
21
+ s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
22
+ s.add_runtime_dependency 'logstash-codec-plain'
23
+ s.add_runtime_dependency 'stud', '>= 0.0.22'
24
+ s.add_development_dependency 'logstash-devutils', '>= 0.0.16'
19
25
  s.add_runtime_dependency 'logstash-mixin-http_client', '>= 1.0.0', '<= 6.0.0'
20
- # s.add_runtime_dependency 'rubysl-rexml', '>= 2.0.0', '<= 3.0.0'
21
26
  end
data/spec/inputs/sdee_spec.rb ADDED
@@ -0,0 +1,11 @@
1
+ # encoding: utf-8
2
+ require "logstash/devutils/rspec/spec_helper"
3
+ require "logstash/inputs/logstash-input-sdee"
4
+
5
+ describe LogStash::Inputs::SDEE do
6
+
7
+ it_behaves_like "an interruptible input plugin" do
8
+ let(:config) { { "interval" => 100 } }
9
+ end
10
+
11
+ end
metadata CHANGED
@@ -1,55 +1,71 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-input-sdee
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.6
4
+ version: 0.7.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - rootik
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-09-06 00:00:00.000000000 Z
11
+ date: 2017-03-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
- name: logstash-core
14
+ name: logstash-core-plugin-api
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - ">="
18
- - !ruby/object:Gem::Version
19
- version: 1.4.0
20
- - - "<="
17
+ - - "~>"
21
18
  - !ruby/object:Gem::Version
22
- version: '2.99'
19
+ version: '2.0'
23
20
  type: :runtime
24
21
  prerelease: false
25
22
  version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '2.0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: logstash-codec-plain
29
+ requirement: !ruby/object:Gem::Requirement
26
30
  requirements:
27
31
  - - ">="
28
32
  - !ruby/object:Gem::Version
29
- version: 1.4.0
30
- - - "<="
33
+ version: '0'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
31
39
  - !ruby/object:Gem::Version
32
- version: '2.99'
40
+ version: '0'
33
41
  - !ruby/object:Gem::Dependency
34
- name: logstash-core-plugin-api
42
+ name: stud
35
43
  requirement: !ruby/object:Gem::Requirement
36
44
  requirements:
37
45
  - - ">="
38
46
  - !ruby/object:Gem::Version
39
- version: '0.60'
40
- - - "<="
41
- - !ruby/object:Gem::Version
42
- version: '2.99'
47
+ version: 0.0.22
43
48
  type: :runtime
44
49
  prerelease: false
45
50
  version_requirements: !ruby/object:Gem::Requirement
46
51
  requirements:
47
52
  - - ">="
48
53
  - !ruby/object:Gem::Version
49
- version: '0.60'
50
- - - "<="
54
+ version: 0.0.22
55
+ - !ruby/object:Gem::Dependency
56
+ name: logstash-devutils
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: 0.0.16
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
51
67
  - !ruby/object:Gem::Version
52
- version: '2.99'
68
+ version: 0.0.16
53
69
  - !ruby/object:Gem::Dependency
54
70
  name: logstash-mixin-http_client
55
71
  requirement: !ruby/object:Gem::Requirement
@@ -79,19 +95,16 @@ extra_rdoc_files: []
79
95
  files:
80
96
  - CHANGELOG.md
81
97
  - CONTRIBUTORS
98
+ - DEVELOPER.md
82
99
  - Gemfile
83
100
  - LICENSE
84
101
  - README.md
85
- - examples/10-inputs.conf
86
- - examples/20-filter.conf
87
- - examples/30-outputs.conf
88
- - examples/dict/cisco.facility.yaml
89
- - examples/patterns/cisco
90
102
  - lib/logstash/inputs/sdee.rb
91
103
  - logstash-input-sdee.gemspec
104
+ - spec/inputs/sdee_spec.rb
92
105
  homepage: http://rubygems.org/gems/logstash-input-sdee
93
106
  licenses:
94
- - Apache-2.0
107
+ - Apache License (2.0)
95
108
  metadata:
96
109
  logstash_plugin: 'true'
97
110
  logstash_group: input
@@ -115,4 +128,5 @@ rubygems_version: 2.6.6
115
128
  signing_key:
116
129
  specification_version: 4
117
130
  summary: Logstah SDEE input from Cisco ASA
118
- test_files: []
131
+ test_files:
132
+ - spec/inputs/sdee_spec.rb
data/examples/10-inputs.conf DELETED
@@ -1,29 +0,0 @@
1
- input {
2
-
3
- sdee {
4
- type => "sdee"
5
- interval => 60
6
- http => {
7
- url => "http://ciscoips1"
8
- auth => {
9
- user => "cisco"
10
- password => "p@ssw0rd"
11
- }
12
- }
13
- }
14
-
15
- sdee {
16
- type => "sdee"
17
- interval => 60
18
- http => {
19
- url => "https://ciscoips2"
20
- # do not forget, you must add your device or CA certificate to Java trustStore. See README.md
21
- truststore_password => "changeit"
22
- auth => {
23
- user => "cisco"
24
- password => "p@ssw0rd"
25
- }
26
- }
27
- }
28
-
29
- }
data/examples/20-filter.conf DELETED
@@ -1,56 +0,0 @@
1
- filter {
2
- if ([type] and ([type] == "syslog-relay") and !("_grokparsefailure" in [tags]) and !("pre-processed" in [tags])) {
3
- grok {
4
- match => {
5
- "message" => "%{GREEDYDATA:cisco_message}"
6
- }
7
- add_tag => [ "parser_begin" ]
8
- }
9
- grok {
10
- patterns_dir => [ "/etc/logstash/patterns" ]
11
- match => {
12
- "message" => "%{CTIMESTAMP}( %{SYSLOGHOST:host})? (?:%{INT:sequence}: %{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}\.[0-9]+: )%{GREEDYDATA:message}"
13
- }
14
- overwrite => [ "message" ]
15
- add_tag => [ "pre-processed" ]
16
- add_field => {
17
- "vendor" => "Cisco"
18
- "device" => "SW or Router"
19
- }
20
- }
21
- grok {
22
- patterns_dir => [ "/etc/logstash/patterns" ]
23
- match => {
24
- "message" => "%{CISCO_TAG}: %{GREEDYDATA:message}"
25
- }
26
- overwrite => [ "message" ]
27
- }
28
- if [cisco_facility] {
29
- translate {
30
- field => "cisco_facility"
31
- destination => "facility"
32
- dictionary_path => [ "/etc/logstash/dict/cisco.facility.yaml" ]
33
- override => true
34
- remove_field => [cisco_facility]
35
- }
36
- }
37
- if [cisco_severity] {
38
- translate {
39
- field => "cisco_severity"
40
- destination => "severity"
41
- dictionary => [
42
- "0", "Emergency",
43
- "1", "Alert",
44
- "2", "Critical",
45
- "3", "Error",
46
- "4", "Warning",
47
- "5", "Notification",
48
- "6", "Informational",
49
- "7", "Debugging" ]
50
- override => true
51
- remove_field => [cisco_severity]
52
- }
53
- }
54
-
55
- }
56
- }
data/examples/30-outputs.conf DELETED
@@ -1,5 +0,0 @@
1
- output {
2
- stdout {
3
- codec => rubydebug
4
- }
5
- }
data/examples/dict/cisco.facility.yaml DELETED
@@ -1,82 +0,0 @@
1
- AUTHMGR: Authentication manager
2
- ACLMGR: ACL manager
3
- BACKUP_INTERFACE: Flex Links
4
- BADTRANSCEIVER: Defective transceiver
5
- BSPATCH: Boot loader patch
6
- CFGMGR: Configuration manager
7
- CLS_ACC: Consoleless access
8
- CMP: Cluster Membership Protocol
9
- DHCP_SNOOPING: DHCP snooping
10
- DOT1X: 802.1x
11
- DOT1X_SWITCH: 802.1x for switches
12
- DTP: Dynamic Trunking Protocol
13
- DWL: Down-when-looped
14
- EC: EtherChannel
15
- ENVIRONMENT: Environment Messages
16
- EPM: Enforcement Policy Module
17
- ETHCNTR: Ethernet controller
18
- EXPRESS_SETUP: Express Setup
19
- FRNTEND_CTRLR: Front-end controller
20
- GBIC_SECURITY: GBIC and SFP module security
21
- GBIC_SECURITY_CRYPT: GBIC and SFP module security
22
- GBIC_SECURITY_UNIQUE: GBIC and SFP module security
23
- HARDWARE: Hardware
24
- LFM: Local forwarding manager
25
- HPSECURE: Port security
26
- HULC_LICENSE: Licensing
27
- IFMGR: Interface manager
28
- IGMP_QUERIER: IGMP querier
29
- ILET: Cisco IOS License Enforcement Test
30
- ILPOWER: PoE
31
- IMAGEMGR: Image manager
32
- IP: Internet Protocol
33
- IP_DEVICE_TRACKING: IP device tracking
34
- KEYMAN: Keyman Messages
35
- MAC_MOVE: Host activity
36
- PAGP: Port Aggregation Protocol
37
- PHY: PHY
38
- PIMSN: PIM snooping
39
- PLATFORM: Low-level platform-specific
40
- PLATFORM_SM10G: Platform FRULink 10G Service Module
41
- PLATFORM_ENV: Platform environment
42
- PLATFORM_FBM: Platform fallback bridging manager
43
- PLATFORM_HCEF: Cisco Express Forwarding
44
- PLATFORM_HPLM: Platform pseudo-label manager
45
- PLATFORM_IPC: Platform Interprocess Communication Protocol
46
- PLATFORM_IPv6_UCAST: IP Version 6 Unicast
47
- PLATFORM_PBR: Platform policy-based routing
48
- PLATFORM_PM: Platform port manager
49
- PLATFORM_RPC: Platform remote procedure call
50
- PLATFORM_SPAN: Platform switched port analyzer
51
- PLATFORM_STACKPOWER: Platform stack power
52
- PLATFORM_UCAST: Platform unicast routing
53
- PLATFORM_VLAN: Platform VLAN
54
- PLATFORM_WCCP: Platform WCCP
55
- PM: Port manager
56
- PORT_SECURITY: Port security
57
- POWERNET_ISSU: EnergyWise domain
58
- PT: Protocol tunneling
59
- QOSMGR: QoS manager
60
- RMON: Remote Network Monitoring (RMON)
61
- SCHED: Schedule
62
- SDM: Switch Database Manager
63
- SESA: SESA
64
- SPAN: Switched port analyzer
65
- SPANTREE: Spanning tree
66
- SPANTREE_FAST: Spanning-tree fast convergence
67
- SPANTREE_VLAN_SW: Spanning-tree VLAN switch
68
- STACKMGR: Stack manager
69
- STORM_CONTROL: Storm control
70
- SUPERVISOR: Supervisor ASIC
71
- SUPQ: Supervisor queue
72
- SW_DAI: Dynamic ARP inspection
73
- SW_MACAUTH: MAC address authentication
74
- SW_MATM: MAC address table manager
75
- SW_VLAN: VLAN manager
76
- SW_QOS_TB: QoS trusted boundary
77
- TCAMMGR: Ternary content addressable memory manager
78
- UDLD: UniDirectional Link Detection
79
- UFAST_MCAST_SW: UplinkFast packet transmission
80
- VLMAPLOG: VLAN Access Map Logs
81
- VQPCLIENT: VLAN Query Protocol client
82
- WCCP: WCCP
data/examples/patterns/cisco DELETED
@@ -1,133 +0,0 @@
1
- #== Cisco ASA ==
2
- HOSTNAME \b(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62})(?:\.(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62}))*(\.?|\b)
3
- CTIMESTAMP %{YEAR}-%{MONTHNUM2}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})(?:\.[0-9]+)?%{ISO8601_TIMEZONE}
4
- CISCO_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_TAG:ciscotag}:
5
- CISCO_ASA_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_ASA_TAG:ciscotag}:
6
- CISCO_CLASS [0-9]{3}
7
- CISCO_STRUC [A-Z0-9_]+
8
- CISCO_TAG %{CISCO_STRUC:cisco_facility}-%{INT:cisco_severity}-%{CISCO_STRUC:cisco_mnemonic}|WLC[0-9]+
9
- CISCO_ASA_TAG %[A-Z0-9_]+-%{INT:cisco_severity}-%{CISCO_CLASS:cisco_class}[0-9]{3}
10
- # Common Particles
11
- CISCO_ASA_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|received|denied by ACL|discarded|est-allowed|Dropping|dropping|created|deleted|SENDING|RECEIVED|monitored|dropped|terminated|Rejected
12
- CISCO_ASA_REASON AAA failure|Duplicate TCP SYN|TCP Reset\-O|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
13
- CISCO_ASA_DIRECTION Inbound|inbound|Outbound|outbound
14
- CISCO_ASA_INTERVAL first hit|%{INT}-second interval
15
- CISCO_ASA_XLATE_TYPE static|dynamic
16
- # ASA-2-106001
17
- CISCOASA106001 %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} connection %{DATA:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
18
- # ASA-2-106006, ASA-2-106007, ASA-2-106010
19
- CISCOASA106006_106007_106010 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_user}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_user}\))? (?:on interface %{DATA:interface}|due to %{CISCO_ASA_REASON:reason})
20
- # ASA-3-106014
21
- CISCOASA106014 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_user}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)
22
- # ASA-6-106015
23
- CISCOASA106015 %{CISCO_ASA_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IPORHOST:src_ip}/%{INT:src_port} to %{IPORHOST:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}
24
- # ASA-1-106021
25
- CISCOASA106021 %{CISCO_ASA_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
26
- # ASA-4-106023
27
- CISCOASA106023 %{CISCO_ASA_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_user}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "%{DATA:policy_id}" \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
28
- # ASA-5-106100
29
- CISCOASA106100 access-list %{WORD:policy_id} %{CISCO_ASA_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_user}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:dst_user}\))? hit-cnt %{INT:hit_count} %{CISCO_ASA_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
30
- # ASA-6-110002
31
- CISCOASA110002 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
32
- # ASA-5-111008
33
- CISCOASA111008 User '%{DATA:user}' executed the '%{GREEDYDATA:cmd}' command\.
34
- # ASA-7-111009
35
- CISCOASA111009 User '%{DATA:user}' executed cmd: %{GREEDYDATA:cmd}
36
- # ASA-5-111010
37
- CISCOASA111010 User '%{DATA:user}', running '%{WORD:service}' from IP %{IPORHOST:src_ip}, executed '%{GREEDYDATA:cmd}'
38
- # ASA-6-113004
39
- CISCOASA113004 AAA user authentication Successful : server = \s*%{IPORHOST:server} : user = %{DATA:user}
40
- # ASA-6-113005
41
- CISCOASA113005 AAA user authentication %{CISCO_ASA_ACTION:action} : reason = %{CISCO_ASA_REASON} : server = %{IPORHOST:server} : user = %{DATA:user} : user IP = %{IP:src_ip}
42
- # ASA-6-113008
43
- CISCOASA113008 AAA transaction status ACCEPT : user = %{DATA:user}
44
- # ASA-6-113009
45
- CISCOASA113009 AAA retrieved default group policy \(%{DATA:policy}\) for user = %{DATA:user}
46
- # ASA-6-302004
47
- CISCOASA302004 Pre-allocate %{DATA:protocol} backconnection for faddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})? to laddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})?
48
- # ASA-6-302010
49
- CISCOASA302010 %{INT:connection_count} in use, %{INT:connection_count_max} most used
50
- # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
51
- CISCOASA302013_302014_302015_302016 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port}( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_user}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port}( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_user}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_ASA_REASON:reason})?( \(%{DATA:user}\))?
52
- # ASA-6-302020, ASA-6-302021
53
- CISCOASA302020_302021 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IPORHOST:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:user}\))? gaddr %{IPORHOST:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IPORHOST:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))?
54
- # ASA-6-303002
55
- CISCOASA303002 FTP connection from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?, user %{DATA:user} %{WORD:action} file %{DATA:filename}
56
- # ASA-3-305006
57
- CISCOASA305006 regular translation creation failed for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(?: \(type %{INT:icmp_type}, code %{INT:icmp_code}\))?
58
- # ASA-6-305011
59
- CISCOASA305011 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? to %{DATA:src_xlated_interface}:%{IPORHOST:src_xlated_ip}/%{DATA:src_xlated_port}
60
- # ASA-5-305013
61
- CISCOASA305013 Asymmetric NAT rules matched for forward and reverse flows; Connection for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? %{CISCO_ASA_ACTION:action} due to NAT reverse path failure
62
- # ASA-3-313001, ASA-3-313004, ASA-3-313008
63
- CISCOASA313001_313004_313008 %{CISCO_ASA_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?
64
- # ASA-4-313005
65
- CISCOASA313005 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IPORHOST:err_src_ip}(\(%{DATA:err_src_user}\))? dst %{DATA:err_dst_interface}:%{IPORHOST:err_dst_ip}(\(%{DATA:err_dst_user}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src %{IPORHOST:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_user}\))? dst %{IPORHOST:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_user}\))?
66
- # ASA-4-313004
67
- #CISCOASA338004 Denied ICMP type=%{INT:icmp_type}, from laddr %{IPORHOST:src_ip} on interface %{DATA:src_interface} to %{IPORHOST:dst_ip}: no matching session
68
- # ASA-4-338004, ASA-4-338008
69
- CISCOASA338004_338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: %{IPORHOST:blacklisted_ip}/%{IPORHOST:blacklisted_netmask}, threat-level: %{DATA:threat_level}, category: %{DATA:category}
70
- # ASA-4-338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: 221.204.186.0/255.255.255.0, threat-level: very-high, category: admin-added
71
- # ASA-6-338304
72
- CISCOASA338304 Successfully downloaded dynamic filter data file from updater server %{DATA:url}
73
- # ASA-4-400013
74
- CISCOASA400013 IDS:2003 ICMP redirect from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
75
- # ASA-4-400028
76
- CISCOASA400028 IDS:3042 TCP FIN only flags from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
77
- # ASA-4-400037
78
- CISCOASA400037 IDS:6053 DNS all records request from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
79
- # ASA-4-402117
80
- CISCOASA402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}
81
- # ASA-4-402119
82
- CISCOASA402119 %{WORD:protocol}: Received an %{WORD:orig_protocol} packet \(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip} \(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking
83
- # ASA-4-405104
84
- CISCOASA405104 %{WORD:protocol} message %{DATA:voip_message} received from %{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_ip}(/%{INT:dst_port})? before SETUP
85
- # ASA-4-419001
86
- CISCOASA419001 %{CISCO_ASA_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}
87
- # ASA-4-419002
88
- CISCOASA419002 %{CISCO_ASA_REASON:reason} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} with different initial sequence number
89
- # ASA-4-500004
90
- CISCOASA500004 %{CISCO_ASA_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
91
- # ASA-5-502103
92
- CISCOASA502103 User priv level changed: Uname: %{DATA:user} From: %{INT:from_level} To: %{INT:to_level}
93
- # ASA-4-507003
94
- CISCOASA507003 %{WORD:protocol} flow from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} %{CISCO_ASA_ACTION:action} by inspection engine, reason - %{DATA:reason}?\.
95
- # ASA-6-602303, ASA-6-602304
96
- CISCOASA602303_602304 %{WORD:protocol}: An %{CISCO_ASA_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ASA_ACTION:action}
97
- # ASA-6-605005
98
- CISCOASA605005 Login permitted from %{IPORHOST:src_ip}/%{INT:src_port} %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{WORD:dst_port} for user "%{DATA:user}"
99
- # ASA-6-607001
100
- CISCOASA607001 Pre-allocate %{GREEDYDATA:protocol} secondary channel for %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? from %{DATA:voip_message} message
101
- # ASA-7-609001, ASA-7-609002
102
- CISCOASA609001_609002 %{CISCO_ASA_ACTION:action} local-host %{DATA:src_interface}:%{IPORHOST:src_ip}(?: duration %{TIME:duration})?
103
- # ASA-6-611101
104
- CISCOASA611101 User authentication succeeded: Uname: %{DATA:user}
105
- # ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006
106
- CISCOASA710001_710002_710003_710005_710006_710007 %{WORD:protocol} (?:request|access|keepalive) %{CISCO_ASA_ACTION:action} from %{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{DATA:dst_port}
107
- # ASA-6-713172
108
- CISCOASA713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device
109
- # ASA-7-713236
110
- CISCOASA713236 IP = %{IPORHOST:src_ip}, IKE_DECODE %{CISCO_ASA_ACTION} Message \(msgid=%{DATA:msgid}\) with payloads : %{GREEDYDATA:payload} total length : %{INT:length}
111
- # ASA-5-713257
112
- CISCOASA713257 Phase %{DATA} failure: Mismatched attribute types for class %{DATA:vpn_class}: Rcv'd: %{DATA:vpn_rcvd} Cfg'd: %{DATA:vpn_cfgd}
113
- # ASA-5-713904
114
- CISCOASA713904 IP = %{IPORHOST:src_ip}, Received encrypted packet with no matching SA, %{CISCO_ASA_ACTION:action}
115
- # ASA-7-713906
116
- CISCOASA713906 IKE Receiver: Packet received on %{IPORHOST:dst_ip}:%{INT:dst_port} from %{IPORHOST:src_ip}:%{INT:src_port}
117
- # ASA-7-715046
118
- CISCOASA715036_715046_715047_715075 Group = %{GREEDYDATA:group},(?: Username = %{DATA:user},)? IP = %{IP:src_ip},%{GREEDYDATA:vpn_action}
119
- # ASA-4-733100
120
- CISCOASA733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}
121
- # ASA-6-734001
122
- CISCOASA734001 DAP: User %{DATA:user}, Addr %{IP:src_ip}, Connection %{DATA:protocol}: The following DAP records were selected for this connection: %{GREEDYDATA:policy_id}
123
- # ASA-6-737006
124
- CISCOASA737006 IPAA: Local pool request succeeded for tunnel-group '%{DATA:vpn_group}'
125
- # ASA-6-737016
126
- CISCOASA737016 IPAA: Freeing local pool address %{IP:src_ip}
127
- # ASA-6-737026
128
- CISCOASA737026 IPAA: Client assigned %{IP:src_ip} from local pool
129
- # ASA-6-737029
130
- CISCOASA737029 IPAA: Added %{IP:src_ip} to standby
131
- # ASA-6-737031
132
- CISCOASA737031 IPAA: Removed %{IP:src_ip} from standby
133
- #== End Cisco ASA ==