RubyGems - logstash-input-sdee - Versions diffs - 0.7.6 → 0.7.7 - Mend

logstash-input-sdee 0.7.6 → 0.7.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +2 -0
data/DEVELOPER.md +2 -0
data/Gemfile +2 -1
data/lib/logstash/inputs/sdee.rb +2 -2
data/logstash-input-sdee.gemspec +20 -15
data/spec/inputs/sdee_spec.rb +11 -0
metadata +40 -26
data/examples/10-inputs.conf +0 -29
data/examples/20-filter.conf +0 -56
data/examples/30-outputs.conf +0 -5
data/examples/dict/cisco.facility.yaml +0 -82
data/examples/patterns/cisco +0 -133

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 321e59b01dd51b2f566e9bcb308702381565348c
-  data.tar.gz: 4047d3f10d2ae6cbf15b9072e5d3c601cb5c2270
+  metadata.gz: c60cdea95b9dfa2fbda788c2b4d77bb86fb0a566
+  data.tar.gz: 0b8e30d80123b765e3373686518708fe2a3c29cc
 SHA512:
-  metadata.gz: 117fa7c3cda33593d981e7b7ef7d2cab20b3f3de6bb670f11e634660f1d34dd57625f126ae01aae2edcef857fcd8a3011f45222f294cb34c8bb384d37656d83c
-  data.tar.gz: 464eb70ff8460ef30ae9dcdc4be411c33f6c0164c01bebb4efc6ee7d7850553425bb523332f0de217c5d5ff05e067c4f562511b2b95dcba0c9f8f9feef55f51f
+  metadata.gz: 0ca5fba5f3d0f9621913e5fcb36b5696e60677127027156f79a730058806780a1d7679cff8e4c52100416d5d2781ccd0303e108c4b214737b0645d0bfe6a41da
+  data.tar.gz: 8e7df7b885a0155bde73c74ab952506cc22b743d6b535123704f279671a9c4f347a4fccdb6b01d5f8fe2b46df77dbba44655ac5188f39b758126e3a58da4e34d

data/CHANGELOG.md CHANGED

@@ -1,3 +1,5 @@
+* 0.7.7
+  - logstash 5.x plugin API
 * 0.7.1
   - something seriously broken in rubysl-rexml 2.0.4 gem
     it's trying to install without success even if already installed

data/DEVELOPER.md ADDED

	@@ -0,0 +1,2 @@
1	+ # logstash-input-logstash-input-sdee-5.3
2	+ Example input plugin. This should help bootstrap your effort to write your own input plugin!

data/Gemfile CHANGED

@@ -1,2 +1,3 @@
 source 'https://rubygems.org'
-gemspec
+gemspec

data/lib/logstash/inputs/sdee.rb CHANGED

@@ -234,7 +234,7 @@ class LogStash::Inputs::SDEE < LogStash::Inputs::Base
     # This is also in the metadata, but we send it anyone because we want this
     # persisted by default, whereas metadata isn't. People don't like mysterious errors
-    event["sdee_failure"] = {
+    event.set("[sdee_failure]") = {
       "request" => structure_request(request),
       "error" => exception.to_s,
       "backtrace" => exception.backtrace,
@@ -254,7 +254,7 @@ class LogStash::Inputs::SDEE < LogStash::Inputs::Base
   private
   def apply_metadata(event, request, response=nil, execution_time=nil)
     #return unless @metadata_target
-    event[@metadata_target] = event_metadata(request, response, execution_time)
+    event.set("[@metadata_target]") = event_metadata(request, response, execution_time)
   end
   private

data/logstash-input-sdee.gemspec CHANGED

@@ -1,21 +1,26 @@
 Gem::Specification.new do |s|
-  s.name        = 'logstash-input-sdee'
-  s.version     = '0.7.6'
-  s.date        = '2016-09-06'
-  s.summary     = "Logstah SDEE input from Cisco ASA"
-  s.description = "This Logstash input plugin allows you to call a Cisco SDEE/CIDEE HTTP API, decode the output of it into event(s), and send them on their merry way."
-  s.authors     = ["rootik"]
-  s.email       = 'roootik@gmail.com'
+  s.name          = 'logstash-input-sdee'
+  s.version       = '0.7.7'
+  s.licenses      = ['Apache License (2.0)']
+  s.summary       = 'Logstah SDEE input from Cisco ASA'
+  s.description   = 'This Logstash input plugin allows you to call a Cisco SDEE/CIDEE HTTP API, decode the output of it into event(s), and send them on their merry way.'
+  s.homepage      = 'http://rubygems.org/gems/logstash-input-sdee'
+  s.authors       = ['rootik']
+  s.email         = 'roootik@gmail.com'
   s.require_paths = ['lib']
-  s.files       = Dir['lib/**/*', 'examples/**/*', '*.gemspec', 'LICENSE', 'Gemfile', 'README.md', 'CHANGELOG.md', 'CONTRIBUTORS']
-  s.homepage    =
-    'http://rubygems.org/gems/logstash-input-sdee'
-  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
-  s.license       = 'Apache-2.0'
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+  # Special flag to let us know this is actually a logstash plugin
   s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
-  s.add_runtime_dependency 'logstash-core', '>= 1.4.0', '<= 2.99'
-  s.add_runtime_dependency 'logstash-core-plugin-api', '>= 0.60', '<= 2.99'
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
+  s.add_runtime_dependency 'logstash-codec-plain'
+  s.add_runtime_dependency 'stud', '>= 0.0.22'
+  s.add_development_dependency 'logstash-devutils', '>= 0.0.16'
   s.add_runtime_dependency 'logstash-mixin-http_client', '>= 1.0.0', '<= 6.0.0'
-#  s.add_runtime_dependency 'rubysl-rexml', '>= 2.0.0', '<= 3.0.0'
 end

data/spec/inputs/sdee_spec.rb ADDED

@@ -0,0 +1,11 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/inputs/logstash-input-sdee"
+describe LogStash::Inputs::SDEE do
+  it_behaves_like "an interruptible input plugin" do
+    let(:config) { { "interval" => 100 } }
+  end
+end

metadata CHANGED

@@ -1,55 +1,71 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-sdee
 version: !ruby/object:Gem::Version
-  version: 0.7.6
+  version: 0.7.7
 platform: ruby
 authors:
 - rootik
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-09-06 00:00:00.000000000 Z
+date: 2017-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: logstash-core
+  name: logstash-core-plugin-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.4.0
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.99'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-plain
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.4.0
-    - - "<="
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.99'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: logstash-core-plugin-api
+  name: stud
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.60'
-    - - "<="
-      - !ruby/object:Gem::Version
-        version: '2.99'
+        version: 0.0.22
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.60'
-    - - "<="
+        version: 0.0.22
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.16
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.99'
+        version: 0.0.16
 - !ruby/object:Gem::Dependency
   name: logstash-mixin-http_client
   requirement: !ruby/object:Gem::Requirement
@@ -79,19 +95,16 @@ extra_rdoc_files: []
 files:
 - CHANGELOG.md
 - CONTRIBUTORS
+- DEVELOPER.md
 - Gemfile
 - LICENSE
 - README.md
-- examples/10-inputs.conf
-- examples/20-filter.conf
-- examples/30-outputs.conf
-- examples/dict/cisco.facility.yaml
-- examples/patterns/cisco
 - lib/logstash/inputs/sdee.rb
 - logstash-input-sdee.gemspec
+- spec/inputs/sdee_spec.rb
 homepage: http://rubygems.org/gems/logstash-input-sdee
 licenses:
-- Apache-2.0
+- Apache License (2.0)
 metadata:
   logstash_plugin: 'true'
   logstash_group: input
@@ -115,4 +128,5 @@ rubygems_version: 2.6.6
 signing_key:
 specification_version: 4
 summary: Logstah SDEE input from Cisco ASA
-test_files: []
+test_files:
+- spec/inputs/sdee_spec.rb

data/examples/10-inputs.conf DELETED

@@ -1,29 +0,0 @@
-input {
-  sdee {
-    type => "sdee"
-    interval => 60
-    http => {
-      url => "http://ciscoips1"
-      auth => {
-        user => "cisco"
-        password => "p@ssw0rd"
-      }
-    }
-  }
-  sdee {
-    type => "sdee"
-    interval => 60
-    http => {
-      url => "https://ciscoips2"
-      # do not forget, you must add your device or CA certificate to Java trustStore. See README.md
-      truststore_password => "changeit"
-      auth => {
-        user => "cisco"
-        password => "p@ssw0rd"
-      }
-    }
-  }
-}

data/examples/20-filter.conf DELETED

@@ -1,56 +0,0 @@
-filter {
-  if ([type] and ([type] == "syslog-relay") and !("_grokparsefailure" in [tags]) and !("pre-processed" in [tags])) {
-     grok {
-       match => {
-         "message" => "%{GREEDYDATA:cisco_message}"
-       }
-       add_tag => [ "parser_begin" ]
-     }
-     grok {
-        patterns_dir => [ "/etc/logstash/patterns" ]
-        match => {
-           "message" => "%{CTIMESTAMP}( %{SYSLOGHOST:host})? (?:%{INT:sequence}: %{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}\.[0-9]+: )%{GREEDYDATA:message}"
-        }
-         overwrite => [ "message" ]
-         add_tag => [ "pre-processed" ]
-         add_field => {
-           "vendor" => "Cisco"
-           "device" => "SW or Router"
-         }
-     }
-     grok {
-        patterns_dir => [ "/etc/logstash/patterns" ]
-        match => {
-          "message" => "%{CISCO_TAG}: %{GREEDYDATA:message}"
-        }
-        overwrite => [ "message" ]
-     }
-     if [cisco_facility] {
-        translate {
-            field => "cisco_facility"
-            destination => "facility"
-            dictionary_path => [ "/etc/logstash/dict/cisco.facility.yaml" ]
-            override => true
-            remove_field => [cisco_facility]
-        }
-      }
-      if [cisco_severity] {
-        translate {
-            field => "cisco_severity"
-            destination => "severity"
-            dictionary => [
-                            "0", "Emergency",
-                            "1", "Alert",
-                            "2", "Critical",
-                            "3", "Error",
-                            "4", "Warning",
-                            "5", "Notification",
-                            "6", "Informational",
-                            "7", "Debugging" ]
-            override => true
-            remove_field => [cisco_severity]
-        }
-      }
-  }
-}

data/examples/30-outputs.conf DELETED

@@ -1,5 +0,0 @@
-output {
-  stdout {
-    codec => rubydebug
-  }
-}

data/examples/dict/cisco.facility.yaml DELETED

@@ -1,82 +0,0 @@
-AUTHMGR: Authentication manager
-ACLMGR: ACL manager
-BACKUP_INTERFACE: Flex Links
-BADTRANSCEIVER: Defective transceiver
-BSPATCH: Boot loader patch
-CFGMGR: Configuration manager
-CLS_ACC: Consoleless access
-CMP: Cluster Membership Protocol
-DHCP_SNOOPING: DHCP snooping
-DOT1X: 802.1x
-DOT1X_SWITCH: 802.1x for switches
-DTP: Dynamic Trunking Protocol
-DWL: Down-when-looped
-EC: EtherChannel
-ENVIRONMENT: Environment Messages
-EPM: Enforcement Policy Module
-ETHCNTR: Ethernet controller
-EXPRESS_SETUP: Express Setup
-FRNTEND_CTRLR: Front-end controller
-GBIC_SECURITY: GBIC and SFP module security
-GBIC_SECURITY_CRYPT: GBIC and SFP module security
-GBIC_SECURITY_UNIQUE: GBIC and SFP module security
-HARDWARE: Hardware
-LFM: Local forwarding manager
-HPSECURE: Port security
-HULC_LICENSE: Licensing
-IFMGR: Interface manager
-IGMP_QUERIER: IGMP querier
-ILET: Cisco IOS License Enforcement Test
-ILPOWER: PoE
-IMAGEMGR: Image manager
-IP: Internet Protocol
-IP_DEVICE_TRACKING: IP device tracking
-KEYMAN: Keyman Messages
-MAC_MOVE: Host activity
-PAGP: Port Aggregation Protocol
-PHY: PHY
-PIMSN: PIM snooping
-PLATFORM: Low-level platform-specific
-PLATFORM_SM10G: Platform FRULink 10G Service Module
-PLATFORM_ENV: Platform environment
-PLATFORM_FBM: Platform fallback bridging manager
-PLATFORM_HCEF: Cisco Express Forwarding
-PLATFORM_HPLM: Platform pseudo-label manager
-PLATFORM_IPC: Platform Interprocess Communication Protocol
-PLATFORM_IPv6_UCAST: IP Version 6 Unicast
-PLATFORM_PBR: Platform policy-based routing
-PLATFORM_PM: Platform port manager
-PLATFORM_RPC: Platform remote procedure call
-PLATFORM_SPAN: Platform switched port analyzer
-PLATFORM_STACKPOWER: Platform stack power
-PLATFORM_UCAST: Platform unicast routing
-PLATFORM_VLAN: Platform VLAN
-PLATFORM_WCCP: Platform WCCP
-PM: Port manager
-PORT_SECURITY: Port security
-POWERNET_ISSU: EnergyWise domain
-PT: Protocol tunneling
-QOSMGR: QoS manager
-RMON: Remote Network Monitoring (RMON)
-SCHED: Schedule
-SDM: Switch Database Manager
-SESA: SESA
-SPAN: Switched port analyzer
-SPANTREE: Spanning tree
-SPANTREE_FAST: Spanning-tree fast convergence
-SPANTREE_VLAN_SW: Spanning-tree VLAN switch
-STACKMGR: Stack manager
-STORM_CONTROL: Storm control
-SUPERVISOR: Supervisor ASIC
-SUPQ: Supervisor queue
-SW_DAI: Dynamic ARP inspection
-SW_MACAUTH: MAC address authentication
-SW_MATM: MAC address table manager
-SW_VLAN: VLAN manager
-SW_QOS_TB: QoS trusted boundary
-TCAMMGR: Ternary content addressable memory manager
-UDLD: UniDirectional Link Detection
-UFAST_MCAST_SW: UplinkFast packet transmission
-VLMAPLOG: VLAN Access Map Logs
-VQPCLIENT: VLAN Query Protocol client
-WCCP: WCCP

data/examples/patterns/cisco DELETED

@@ -1,133 +0,0 @@
-#== Cisco ASA ==
-HOSTNAME \b(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62})(?:\.(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62}))*(\.?|\b)
-CTIMESTAMP %{YEAR}-%{MONTHNUM2}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})(?:\.[0-9]+)?%{ISO8601_TIMEZONE}
-CISCO_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_TAG:ciscotag}:
-CISCO_ASA_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_ASA_TAG:ciscotag}:
-CISCO_CLASS [0-9]{3}
-CISCO_STRUC [A-Z0-9_]+
-CISCO_TAG %{CISCO_STRUC:cisco_facility}-%{INT:cisco_severity}-%{CISCO_STRUC:cisco_mnemonic}|WLC[0-9]+
-CISCO_ASA_TAG %[A-Z0-9_]+-%{INT:cisco_severity}-%{CISCO_CLASS:cisco_class}[0-9]{3}
-# Common Particles
-CISCO_ASA_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|received|denied by ACL|discarded|est-allowed|Dropping|dropping|created|deleted|SENDING|RECEIVED|monitored|dropped|terminated|Rejected
-CISCO_ASA_REASON AAA failure|Duplicate TCP SYN|TCP Reset\-O|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
-CISCO_ASA_DIRECTION Inbound|inbound|Outbound|outbound
-CISCO_ASA_INTERVAL first hit|%{INT}-second interval
-CISCO_ASA_XLATE_TYPE static|dynamic
-# ASA-2-106001
-CISCOASA106001 %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} connection %{DATA:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
-# ASA-2-106006, ASA-2-106007, ASA-2-106010
-CISCOASA106006_106007_106010 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_user}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_user}\))? (?:on interface %{DATA:interface}|due to %{CISCO_ASA_REASON:reason})
-# ASA-3-106014
-CISCOASA106014 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_user}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)
-# ASA-6-106015
-CISCOASA106015 %{CISCO_ASA_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IPORHOST:src_ip}/%{INT:src_port} to %{IPORHOST:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags}  on interface %{GREEDYDATA:interface}
-# ASA-1-106021
-CISCOASA106021 %{CISCO_ASA_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
-# ASA-4-106023
-CISCOASA106023 %{CISCO_ASA_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_user}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "%{DATA:policy_id}" \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
-# ASA-5-106100
-CISCOASA106100 access-list %{WORD:policy_id} %{CISCO_ASA_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_user}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:dst_user}\))? hit-cnt %{INT:hit_count} %{CISCO_ASA_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
-# ASA-6-110002
-CISCOASA110002 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
-# ASA-5-111008
-CISCOASA111008 User '%{DATA:user}' executed the '%{GREEDYDATA:cmd}' command\.
-# ASA-7-111009
-CISCOASA111009 User '%{DATA:user}' executed cmd: %{GREEDYDATA:cmd}
-# ASA-5-111010
-CISCOASA111010 User '%{DATA:user}', running '%{WORD:service}' from IP %{IPORHOST:src_ip}, executed '%{GREEDYDATA:cmd}'
-# ASA-6-113004
-CISCOASA113004 AAA user authentication Successful : server = \s*%{IPORHOST:server} : user = %{DATA:user}
-# ASA-6-113005
-CISCOASA113005 AAA user authentication %{CISCO_ASA_ACTION:action} : reason = %{CISCO_ASA_REASON} : server = %{IPORHOST:server} : user = %{DATA:user} : user IP = %{IP:src_ip}
-# ASA-6-113008
-CISCOASA113008 AAA transaction status ACCEPT : user = %{DATA:user}
-# ASA-6-113009
-CISCOASA113009 AAA retrieved default group policy \(%{DATA:policy}\) for user = %{DATA:user}
-# ASA-6-302004
-CISCOASA302004 Pre-allocate %{DATA:protocol} backconnection for faddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})? to laddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})?
-# ASA-6-302010
-CISCOASA302010 %{INT:connection_count} in use, %{INT:connection_count_max} most used
-# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
-CISCOASA302013_302014_302015_302016 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port}( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_user}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port}( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_user}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_ASA_REASON:reason})?( \(%{DATA:user}\))?
-# ASA-6-302020, ASA-6-302021
-CISCOASA302020_302021 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IPORHOST:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:user}\))? gaddr %{IPORHOST:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IPORHOST:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))?
-# ASA-6-303002
-CISCOASA303002 FTP connection from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?, user %{DATA:user} %{WORD:action} file %{DATA:filename}
-# ASA-3-305006
-CISCOASA305006 regular translation creation failed for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(?: \(type %{INT:icmp_type}, code %{INT:icmp_code}\))?
-# ASA-6-305011
-CISCOASA305011 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? to %{DATA:src_xlated_interface}:%{IPORHOST:src_xlated_ip}/%{DATA:src_xlated_port}
-# ASA-5-305013
-CISCOASA305013 Asymmetric NAT rules matched for forward and reverse flows; Connection for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? %{CISCO_ASA_ACTION:action} due to NAT reverse path failure
-# ASA-3-313001, ASA-3-313004, ASA-3-313008
-CISCOASA313001_313004_313008 %{CISCO_ASA_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?
-# ASA-4-313005
-CISCOASA313005 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IPORHOST:err_src_ip}(\(%{DATA:err_src_user}\))? dst %{DATA:err_dst_interface}:%{IPORHOST:err_dst_ip}(\(%{DATA:err_dst_user}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\.  Original IP payload: %{WORD:protocol} src %{IPORHOST:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_user}\))? dst %{IPORHOST:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_user}\))?
-# ASA-4-313004
-#CISCOASA338004 Denied ICMP type=%{INT:icmp_type}, from laddr %{IPORHOST:src_ip} on interface %{DATA:src_interface} to %{IPORHOST:dst_ip}: no matching session
-# ASA-4-338004, ASA-4-338008
-CISCOASA338004_338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: %{IPORHOST:blacklisted_ip}/%{IPORHOST:blacklisted_netmask}, threat-level: %{DATA:threat_level}, category: %{DATA:category}
-# ASA-4-338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: 221.204.186.0/255.255.255.0, threat-level: very-high, category: admin-added
-# ASA-6-338304
-CISCOASA338304 Successfully downloaded dynamic filter data file from updater server %{DATA:url}
-# ASA-4-400013
-CISCOASA400013 IDS:2003 ICMP redirect from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
-# ASA-4-400028
-CISCOASA400028 IDS:3042 TCP FIN only flags from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
-# ASA-4-400037
-CISCOASA400037 IDS:6053 DNS all records request from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
-# ASA-4-402117
-CISCOASA402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}
-# ASA-4-402119
-CISCOASA402119 %{WORD:protocol}: Received an %{WORD:orig_protocol} packet \(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip} \(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking
-# ASA-4-405104
-CISCOASA405104 %{WORD:protocol} message %{DATA:voip_message} received from %{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_ip}(/%{INT:dst_port})? before SETUP
-# ASA-4-419001
-CISCOASA419001 %{CISCO_ASA_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}
-# ASA-4-419002
-CISCOASA419002 %{CISCO_ASA_REASON:reason} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} with different initial sequence number
-# ASA-4-500004
-CISCOASA500004 %{CISCO_ASA_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
-# ASA-5-502103
-CISCOASA502103 User priv level changed: Uname: %{DATA:user} From: %{INT:from_level} To: %{INT:to_level}
-# ASA-4-507003
-CISCOASA507003 %{WORD:protocol} flow from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} %{CISCO_ASA_ACTION:action} by inspection engine, reason - %{DATA:reason}?\.
-# ASA-6-602303, ASA-6-602304
-CISCOASA602303_602304 %{WORD:protocol}: An %{CISCO_ASA_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ASA_ACTION:action}
-# ASA-6-605005
-CISCOASA605005 Login permitted from %{IPORHOST:src_ip}/%{INT:src_port} %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{WORD:dst_port} for user "%{DATA:user}"
-# ASA-6-607001
-CISCOASA607001 Pre-allocate %{GREEDYDATA:protocol} secondary channel for %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? from %{DATA:voip_message} message
-# ASA-7-609001, ASA-7-609002
-CISCOASA609001_609002 %{CISCO_ASA_ACTION:action} local-host %{DATA:src_interface}:%{IPORHOST:src_ip}(?: duration %{TIME:duration})?
-# ASA-6-611101
-CISCOASA611101 User authentication succeeded: Uname: %{DATA:user}
-# ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006
-CISCOASA710001_710002_710003_710005_710006_710007 %{WORD:protocol} (?:request|access|keepalive) %{CISCO_ASA_ACTION:action} from %{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{DATA:dst_port}
-# ASA-6-713172
-CISCOASA713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device
-# ASA-7-713236
-CISCOASA713236 IP = %{IPORHOST:src_ip}, IKE_DECODE %{CISCO_ASA_ACTION} Message \(msgid=%{DATA:msgid}\) with payloads : %{GREEDYDATA:payload} total length : %{INT:length}
-# ASA-5-713257
-CISCOASA713257 Phase %{DATA} failure:  Mismatched attribute types for class %{DATA:vpn_class}:  Rcv'd: %{DATA:vpn_rcvd} Cfg'd: %{DATA:vpn_cfgd}
-# ASA-5-713904
-CISCOASA713904 IP = %{IPORHOST:src_ip}, Received encrypted packet with no matching SA, %{CISCO_ASA_ACTION:action}
-# ASA-7-713906
-CISCOASA713906 IKE Receiver: Packet received on %{IPORHOST:dst_ip}:%{INT:dst_port} from %{IPORHOST:src_ip}:%{INT:src_port}
-# ASA-7-715046
-CISCOASA715036_715046_715047_715075 Group = %{GREEDYDATA:group},(?: Username = %{DATA:user},)? IP = %{IP:src_ip},%{GREEDYDATA:vpn_action}
-# ASA-4-733100
-CISCOASA733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}
-# ASA-6-734001
-CISCOASA734001 DAP: User %{DATA:user}, Addr %{IP:src_ip}, Connection %{DATA:protocol}: The following DAP records were selected for this connection: %{GREEDYDATA:policy_id}
-# ASA-6-737006
-CISCOASA737006 IPAA: Local pool request succeeded for tunnel-group '%{DATA:vpn_group}'
-# ASA-6-737016
-CISCOASA737016 IPAA: Freeing local pool address %{IP:src_ip}
-# ASA-6-737026
-CISCOASA737026 IPAA: Client assigned %{IP:src_ip} from local pool
-# ASA-6-737029
-CISCOASA737029 IPAA: Added %{IP:src_ip} to standby
-# ASA-6-737031
-CISCOASA737031 IPAA: Removed %{IP:src_ip} from standby
-#== End Cisco ASA ==