logstash-input-sdee 0.6.9 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2e5c47c9f0d817a1e1d1fbb697e896ffc7fe0ef4
-  data.tar.gz: 6df5bb5d6942b4554216a032379a4ecf00989573
+  metadata.gz: a309cfe8bdd6daec2c0e3abe3b2ce8378eaaecf0
+  data.tar.gz: 538f3991ba62d609540830549fcc58f4e24e1659
 SHA512:
-  metadata.gz: 5ef8b0e84db55e36509d00af50cd6134b642ee4ee051c3a07f102cdf86af3dd74fcc217d5877e5451e6251b76a8e1ccb41d14135860955bd7c7fab174540f082
-  data.tar.gz: de12fddd14935ebd9b8e377cd64b605f544ec5b9f8dc354999d7414b1496e8c4a9f76c8116db1a00691723a6866629146d3b3b31c43a04c39e5b37665794488d
+  metadata.gz: f7756854ba4d3c0532c74f04f7672f6eba87f56c33fc9c85ace7c2f14f0031003e33845f85564d4e306badd4d1068eb9309819427c0546ef431cee24be5dab69
+  data.tar.gz: d5b12d693b98aa61ab37789d8089091978fa92820680b85e8db4da32230dc635ee1faffeef368f9b8096ebf00140cc470351ac749b2b4b594c441751ea90b7bb

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+* 0.7.0
+  - logstash configuration examples, inputs and filter
+  - pattern file and dictioanries for Cisco IPS messages
 * 0.6.9
   - making it ready for RubyGems
 * 0.4.0

data/examples/{sdee.conf → 10-inputs.conf}

@@ -27,9 +27,3 @@ input {
   }
 
 }
-
-output {
-  stdout {
-    codec => rubydebug
-  }
-}

data/examples/20-filter.conf

@@ -0,0 +1,57 @@
+filter {
+  if ([type] and ([type] == "syslog-relay") and !("_grokparsefailure" in [tags]) and !("pre-processed" in [tags])) {
+     grok {
+       match => {
+         "message" => "%{GREEDYDATA:cisco_message}"
+       }
+       add_tag => [ "parser_begin" ]
+     }
+     grok {
+        patterns_dir => [ "/etc/logstash/patterns" ]
+        match => {
+           "message" => "%{CTIMESTAMP}( %{SYSLOGHOST:host})? (?:%{INT:sequence}: %{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}\.[0-9]+: )%{GREEDYDATA:message}"
+        }
+         overwrite => [ "message" ]
+         add_tag => [ "pre-processed" ]
+         add_field => {
+           "vendor" => "Cisco"
+           "device" => "SW or Router"
+         }
+     }
+     grok {
+        patterns_dir => [ "/etc/logstash/patterns" ]
+        match => {
+          "message" => "%{CISCO_TAG}: %{GREEDYDATA:message}"
+        }
+        overwrite => [ "message" ]
+     }
+     if [cisco_facility] {
+        translate {
+            field => "cisco_facility"
+            destination => "facility"
+            dictionary_path => [ "/etc/logstash/patterns/cisco.facility" ]
+            override => true
+            remove_field => [cisco_facility]
+        }
+      }
+      if [cisco_severity] {
+        translate {
+            field => "cisco_severity"
+            destination => "severity"
+            dictionary => [ 
+                            "0", "Emergency",
+                            "1", "Alert",
+                            "2", "Critical",
+                            "3", "Error",
+                            "4", "Warning",
+                            "5", "Notification",
+                            "6", "Informational",
+                            "7", "Debugging" ]
+            override => true
+            remove_field => [cisco_severity]
+        }
+      }
+
+  }
+}
+                                                     

data/examples/30-outputs.conf

@@ -0,0 +1,5 @@
+output {
+  stdout {
+    codec => rubydebug
+  }
+}

data/examples/patterns/cisco

@@ -1,79 +1,133 @@
 #== Cisco ASA ==
 HOSTNAME \b(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62})(?:\.(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62}))*(\.?|\b)
-CTIMESTAMP %{YEAR}-%{MONTHNUM2}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
-CISCO_TAGGED %{CTIMESTAMP:ctimestamp}( %{SYSLOGHOST:sysloghost})? %{CISCO_TAG:ciscotag}:
-CISCO_TAG %[A-Z0-9]+-%{INT:cisco_severity}-(?:[A-Z0-9_]+)|WLC[0-9]+
+CTIMESTAMP %{YEAR}-%{MONTHNUM2}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})(?:\.[0-9]+)?%{ISO8601_TIMEZONE}
+CISCO_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_TAG:ciscotag}:
+CISCO_ASA_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_ASA_TAG:ciscotag}:
+CISCO_CLASS [0-9]{3}
+CISCO_STRUC [A-Z0-9_]+
+CISCO_TAG %{CISCO_STRUC:cisco_facility}-%{INT:cisco_severity}-%{CISCO_STRUC:cisco_mnemonic}|WLC[0-9]+
+CISCO_ASA_TAG %[A-Z0-9_]+-%{INT:cisco_severity}-%{CISCO_CLASS:cisco_class}[0-9]{3}
 # Common Particles
-CISCO_ASA_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|received|denied by ACL|discarded|est-allowed|Dropping|created|deleted|SENDING|RECEIVED|monitored|dropped
-CISCO_ASA_REASON Duplicate TCP SYN|TCP Reset\-O|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
+CISCO_ASA_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|received|denied by ACL|discarded|est-allowed|Dropping|dropping|created|deleted|SENDING|RECEIVED|monitored|dropped|terminated|Rejected
+CISCO_ASA_REASON AAA failure|Duplicate TCP SYN|TCP Reset\-O|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
 CISCO_ASA_DIRECTION Inbound|inbound|Outbound|outbound
 CISCO_ASA_INTERVAL first hit|%{INT}-second interval
 CISCO_ASA_XLATE_TYPE static|dynamic
 # ASA-2-106001
-CISCOASA106001 %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ASA_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
+CISCOASA106001 %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} connection %{DATA:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
 # ASA-2-106006, ASA-2-106007, ASA-2-106010
-CISCOASA106006_106007_106010 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface %{DATA:interface}|due to %{CISCO_ASA_REASON:reason})
+CISCOASA106006_106007_106010 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_user}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_user}\))? (?:on interface %{DATA:interface}|due to %{CISCO_ASA_REASON:reason})
 # ASA-3-106014
-CISCOASA106014 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)
+CISCOASA106014 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_user}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)
 # ASA-6-106015
 CISCOASA106015 %{CISCO_ASA_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IPORHOST:src_ip}/%{INT:src_port} to %{IPORHOST:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags}  on interface %{GREEDYDATA:interface}
 # ASA-1-106021
 CISCOASA106021 %{CISCO_ASA_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
 # ASA-4-106023
-CISCOASA106023 %{CISCO_ASA_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group %{DATA:policy_id} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
+CISCOASA106023 %{CISCO_ASA_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_user}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "%{DATA:policy_id}" \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
 # ASA-5-106100
-CISCOASA106100 access-list %{WORD:policy_id} %{CISCO_ASA_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))? hit-cnt %{INT:hit_count} %{CISCO_ASA_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
+CISCOASA106100 access-list %{WORD:policy_id} %{CISCO_ASA_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_user}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:dst_user}\))? hit-cnt %{INT:hit_count} %{CISCO_ASA_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]
 # ASA-6-110002
 CISCOASA110002 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
 # ASA-5-111008
-CISCOASA111008 User \'%{DATA:src_fwuser}\' executed the \'%{GREEDYDATA:cmd}\' command\.
+CISCOASA111008 User '%{DATA:user}' executed the '%{GREEDYDATA:cmd}' command\.
 # ASA-7-111009
-CISCOASA111009 User \'%{DATA:src_fwuser}\' executed cmd: %{GREEDYDATA:cmd}
+CISCOASA111009 User '%{DATA:user}' executed cmd: %{GREEDYDATA:cmd}
 # ASA-5-111010
-CISCOASA111010 User \'%{DATA:src_fwuser}\', running \'CLI\' from IP %{IPORHOST:src_ip}, executed \'%{GREEDYDATA:cmd}\'
+CISCOASA111010 User '%{DATA:user}', running '%{WORD:service}' from IP %{IPORHOST:src_ip}, executed '%{GREEDYDATA:cmd}'
+# ASA-6-113004
+CISCOASA113004 AAA user authentication Successful : server = \s*%{IPORHOST:server} : user = %{DATA:user}
+# ASA-6-113005
+CISCOASA113005 AAA user authentication %{CISCO_ASA_ACTION:action} : reason = %{CISCO_ASA_REASON} : server = %{IPORHOST:server} : user = %{DATA:user} : user IP = %{IP:src_ip}
+# ASA-6-113008
+CISCOASA113008 AAA transaction status ACCEPT : user = %{DATA:user}
+# ASA-6-113009
+CISCOASA113009 AAA retrieved default group policy \(%{DATA:policy}\) for user = %{DATA:user}
+# ASA-6-302004
+CISCOASA302004 Pre-allocate %{DATA:protocol} backconnection for faddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})? to laddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})?
 # ASA-6-302010
 CISCOASA302010 %{INT:connection_count} in use, %{INT:connection_count_max} most used
 # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
-CISCOASA302013_302014_302015_302016 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port}( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port}( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_ASA_REASON:reason})?( \(%{DATA:user}\))?
+CISCOASA302013_302014_302015_302016 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port}( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_user}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port}( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_user}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_ASA_REASON:reason})?( \(%{DATA:user}\))?
 # ASA-6-302020, ASA-6-302021
-CISCOASA302020_302021 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IPORHOST:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuser}\))? gaddr %{IPORHOST:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IPORHOST:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))?
+CISCOASA302020_302021 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IPORHOST:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:user}\))? gaddr %{IPORHOST:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IPORHOST:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))?
+# ASA-6-303002
+CISCOASA303002 FTP connection from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?, user %{DATA:user} %{WORD:action} file %{DATA:filename}
 # ASA-3-305006
 CISCOASA305006 regular translation creation failed for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(?: \(type %{INT:icmp_type}, code %{INT:icmp_code}\))?
 # ASA-6-305011
-CISCOASA305011 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? to %{DATA:src_xlated_interface}:%{IPORHOST:src_xlated_ip}/%{DATA:src_xlated_port}
+CISCOASA305011 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? to %{DATA:src_xlated_interface}:%{IPORHOST:src_xlated_ip}/%{DATA:src_xlated_port}
 # ASA-5-305013
 CISCOASA305013 Asymmetric NAT rules matched for forward and reverse flows; Connection for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? %{CISCO_ASA_ACTION:action} due to NAT reverse path failure
 # ASA-3-313001, ASA-3-313004, ASA-3-313008
 CISCOASA313001_313004_313008 %{CISCO_ASA_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?
 # ASA-4-313005
-CISCOASA313005 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IPORHOST:err_src_ip}(\(%{DATA:err_src_fwuser}\))? dst %{DATA:err_dst_interface}:%{IPORHOST:err_dst_ip}(\(%{DATA:err_dst_fwuser}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\.  Original IP payload: %{WORD:protocol} src %{IPORHOST:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst %{IPORHOST:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))?
+CISCOASA313005 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IPORHOST:err_src_ip}(\(%{DATA:err_src_user}\))? dst %{DATA:err_dst_interface}:%{IPORHOST:err_dst_ip}(\(%{DATA:err_dst_user}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\.  Original IP payload: %{WORD:protocol} src %{IPORHOST:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_user}\))? dst %{IPORHOST:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_user}\))?
+# ASA-4-313004
+#CISCOASA338004 Denied ICMP type=%{INT:icmp_type}, from laddr %{IPORHOST:src_ip} on interface %{DATA:src_interface} to %{IPORHOST:dst_ip}: no matching session
 # ASA-4-338004, ASA-4-338008 
 CISCOASA338004_338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: %{IPORHOST:blacklisted_ip}/%{IPORHOST:blacklisted_netmask}, threat-level: %{DATA:threat_level}, category: %{DATA:category}
 # ASA-4-338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: 221.204.186.0/255.255.255.0, threat-level: very-high, category: admin-added
+# ASA-6-338304
+CISCOASA338304 Successfully downloaded dynamic filter data file from updater server %{DATA:url}
+# ASA-4-400013
+CISCOASA400013 IDS:2003 ICMP redirect from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
+# ASA-4-400028
+CISCOASA400028 IDS:3042 TCP FIN only flags from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
+# ASA-4-400037
+CISCOASA400037 IDS:6053 DNS all records request from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface}
 # ASA-4-402117
 CISCOASA402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}
 # ASA-4-402119
 CISCOASA402119 %{WORD:protocol}: Received an %{WORD:orig_protocol} packet \(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip} \(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking
+# ASA-4-405104
+CISCOASA405104 %{WORD:protocol} message %{DATA:voip_message} received from %{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_ip}(/%{INT:dst_port})? before SETUP
 # ASA-4-419001
 CISCOASA419001 %{CISCO_ASA_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}
 # ASA-4-419002
 CISCOASA419002 %{CISCO_ASA_REASON:reason} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} with different initial sequence number
 # ASA-4-500004
 CISCOASA500004 %{CISCO_ASA_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
+# ASA-5-502103
+CISCOASA502103 User priv level changed: Uname: %{DATA:user} From: %{INT:from_level} To: %{INT:to_level}
+# ASA-4-507003
+CISCOASA507003 %{WORD:protocol} flow from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} %{CISCO_ASA_ACTION:action} by inspection engine, reason - %{DATA:reason}?\.
 # ASA-6-602303, ASA-6-602304
 CISCOASA602303_602304 %{WORD:protocol}: An %{CISCO_ASA_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ASA_ACTION:action}
+# ASA-6-605005
+CISCOASA605005 Login permitted from %{IPORHOST:src_ip}/%{INT:src_port} %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{WORD:dst_port} for user "%{DATA:user}"
+# ASA-6-607001
+CISCOASA607001 Pre-allocate %{GREEDYDATA:protocol} secondary channel for %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? from %{DATA:voip_message} message
 # ASA-7-609001, ASA-7-609002
 CISCOASA609001_609002 %{CISCO_ASA_ACTION:action} local-host %{DATA:src_interface}:%{IPORHOST:src_ip}(?: duration %{TIME:duration})?
+# ASA-6-611101
+CISCOASA611101 User authentication succeeded: Uname: %{DATA:user}
 # ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006
 CISCOASA710001_710002_710003_710005_710006_710007 %{WORD:protocol} (?:request|access|keepalive) %{CISCO_ASA_ACTION:action} from %{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{DATA:dst_port}
 # ASA-6-713172
 CISCOASA713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device
 # ASA-7-713236
 CISCOASA713236 IP = %{IPORHOST:src_ip}, IKE_DECODE %{CISCO_ASA_ACTION} Message \(msgid=%{DATA:msgid}\) with payloads : %{GREEDYDATA:payload} total length : %{INT:length}
+# ASA-5-713257
+CISCOASA713257 Phase %{DATA} failure:  Mismatched attribute types for class %{DATA:vpn_class}:  Rcv'd: %{DATA:vpn_rcvd} Cfg'd: %{DATA:vpn_cfgd}
+# ASA-5-713904 
+CISCOASA713904 IP = %{IPORHOST:src_ip}, Received encrypted packet with no matching SA, %{CISCO_ASA_ACTION:action}
 # ASA-7-713906
 CISCOASA713906 IKE Receiver: Packet received on %{IPORHOST:dst_ip}:%{INT:dst_port} from %{IPORHOST:src_ip}:%{INT:src_port}
 # ASA-7-715046
-CISCOASA715036_715046_715047_715075 Group = %{GREEDYDATA:group},(?: Username = %{DATA:src_fwuser},)? IP = %{IP:src_ip},%{GREEDYDATA:vpn_action}
+CISCOASA715036_715046_715047_715075 Group = %{GREEDYDATA:group},(?: Username = %{DATA:user},)? IP = %{IP:src_ip},%{GREEDYDATA:vpn_action}
 # ASA-4-733100
 CISCOASA733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}
+# ASA-6-734001
+CISCOASA734001 DAP: User %{DATA:user}, Addr %{IP:src_ip}, Connection %{DATA:protocol}: The following DAP records were selected for this connection: %{GREEDYDATA:policy_id}
+# ASA-6-737006
+CISCOASA737006 IPAA: Local pool request succeeded for tunnel-group '%{DATA:vpn_group}'
+# ASA-6-737016
+CISCOASA737016 IPAA: Freeing local pool address %{IP:src_ip}
+# ASA-6-737026
+CISCOASA737026 IPAA: Client assigned %{IP:src_ip} from local pool
+# ASA-6-737029
+CISCOASA737029 IPAA: Added %{IP:src_ip} to standby
+# ASA-6-737031
+CISCOASA737031 IPAA: Removed %{IP:src_ip} from standby
 #== End Cisco ASA ==

data/examples/patterns/cisco.dictionary

@@ -0,0 +1,131 @@
+"101": High Availability (Failover)
+"102": High Availability (Failover)
+"103": High Availability (Failover)
+"104": High Availability (Failover)
+"105": High Availability (Failover)
+"106": Access Lists
+"107": RIP Routing
+"108": User Session
+"109": User Authentication
+"110": Transparent Firewall
+"111": Command Interface
+"112": Command Interface
+"113": User Authentication
+"120": Smart Call Home
+"199": System
+"201": User Session
+"202": User Session
+"204": User Session
+"208": Command Interface
+"209": IP Stack
+"210": High Availability (Failover)
+"211": System
+"212": SNMP
+"213": PPTP and L2TP Sessions
+"214": System
+"215": IP Stack
+"216": System
+"220": Transparent Firewall
+"302": User Session
+"303": User Session
+"304": User Session
+"305": NAT and PAT
+"306": System
+"307": System
+"308": Command Interface
+"311": High Availability (Failover)
+"312": RIP Routing
+"313": IP Stack
+"314": User Session
+"315": System
+"316": IKE and IPSec
+"317": IP Stack
+"318": OSPF Routing
+"319": Network Processor
+"320": IKE and IPSec
+"321": Resource Manager
+"325": IPv6
+"321": Resource Manager
+"323": Card Management
+"333": EAP or EAPoUDP for NAC
+"334": EAP or EAPoUDP for NAC
+"336": EIGRP Routing
+"337": Phone Proxy
+"338": Blacklists, Whitelists, and Graylists
+"339": UC-IME
+"400": Intrusion Protection System
+"401": Intrusion Protection System
+"402": IKE and IPSec
+"403": PPTP and L2TP Sessions
+"404": IKE and IPSec
+"405": User Session
+"406": User Session
+"407": User Session
+"408": IP Stack
+"409": OSPF Routing
+"414": System
+"415": Application Firewall
+"419": Intrusion Protection System
+"420": Intrusion Protection System
+"444": Licensing
+"500": User Session
+"501": IKE and IPSec
+"502": User Session
+"503": OSPF Routing
+"505": System
+"602": IKE and IPSec
+"603": PPTP and L2TP Sessions
+"604": System
+"605": System
+"606": System
+"607": User Session
+"608": User Session
+"609": User Session
+"610": System
+"611": VPN Client
+"612": System
+"613": OSPF Routing
+"614": System
+"615": System
+"616": User Session
+"620": User Session
+"701": System
+"702": IKE and IPSec
+"703": User Session
+"709": High Availability (Failover)
+"710": User Session
+"711": System
+"713": Network Access Point
+"714": IKE and IPSec
+"715": IKE and IPSec
+"716": WebVPN Client
+"717": PKI Certification Authority
+"718": VPN Load Balancing
+"719": E-mail Proxy
+"720": VPN Failover
+"721": WebVPN Failover
+"722": SSL VPN Client
+"723": Citrix Client
+"724": Secure Desktop
+"725": SSL Stack
+"727": High Availability (Failover)
+"728": Load Balancing
+"730": VLAN Mapping
+"731": NAC Policy
+"732": NAC Settings to apply NAC Policy
+"733": Threat Detection
+"734": Dynamic Access Policies
+"735": IP Address Assignment
+"737": IP Address Assignment
+"741": System
+"742": Password Encryption
+"746": Identity-based Firewall
+"747": Clustering
+"750": IKEv2 Toolkit
+"751": IKEv2 Toolkit
+"752": IKEv2 Toolkit
+"775": ScanSafe
+"776": Cisco TrustSec
+"778": VXLAN
+"779": Service Tag Switching
+"802": MDM Proxy

data/examples/patterns/cisco.facility

@@ -0,0 +1,82 @@
+AUTHMGR: Authentication manager
+ACLMGR: ACL manager
+BACKUP_INTERFACE: Flex Links
+BADTRANSCEIVER: Defective transceiver
+BSPATCH: Boot loader patch
+CFGMGR: Configuration manager
+CLS_ACC: Consoleless access
+CMP: Cluster Membership Protocol
+DHCP_SNOOPING: DHCP snooping
+DOT1X: 802.1x
+DOT1X_SWITCH: 802.1x for switches
+DTP: Dynamic Trunking Protocol
+DWL: Down-when-looped
+EC: EtherChannel
+ENVIRONMENT: Environment Messages
+EPM: Enforcement Policy Module
+ETHCNTR: Ethernet controller
+EXPRESS_SETUP: Express Setup
+FRNTEND_CTRLR: Front-end controller
+GBIC_SECURITY: GBIC and SFP module security
+GBIC_SECURITY_CRYPT: GBIC and SFP module security
+GBIC_SECURITY_UNIQUE: GBIC and SFP module security
+HARDWARE: Hardware
+LFM: Local forwarding manager
+HPSECURE: Port security
+HULC_LICENSE: Licensing
+IFMGR: Interface manager
+IGMP_QUERIER: IGMP querier
+ILET: Cisco IOS License Enforcement Test
+ILPOWER: PoE
+IMAGEMGR: Image manager
+IP: Internet Protocol
+IP_DEVICE_TRACKING: IP device tracking
+KEYMAN: Keyman Messages
+MAC_MOVE: Host activity
+PAGP: Port Aggregation Protocol
+PHY: PHY
+PIMSN: PIM snooping
+PLATFORM: Low-level platform-specific
+PLATFORM_SM10G: Platform FRULink 10G Service Module
+PLATFORM_ENV: Platform environment
+PLATFORM_FBM: Platform fallback bridging manager
+PLATFORM_HCEF: Cisco Express Forwarding
+PLATFORM_HPLM: Platform pseudo-label manager
+PLATFORM_IPC: Platform Interprocess Communication Protocol
+PLATFORM_IPv6_UCAST: IP Version 6 Unicast
+PLATFORM_PBR: Platform policy-based routing
+PLATFORM_PM: Platform port manager
+PLATFORM_RPC: Platform remote procedure call
+PLATFORM_SPAN: Platform switched port analyzer
+PLATFORM_STACKPOWER: Platform stack power
+PLATFORM_UCAST: Platform unicast routing
+PLATFORM_VLAN: Platform VLAN
+PLATFORM_WCCP: Platform WCCP
+PM: Port manager
+PORT_SECURITY: Port security
+POWERNET_ISSU: EnergyWise domain
+PT: Protocol tunneling
+QOSMGR: QoS manager
+RMON: Remote Network Monitoring (RMON)
+SCHED: Schedule
+SDM: Switch Database Manager
+SESA: SESA
+SPAN: Switched port analyzer
+SPANTREE: Spanning tree
+SPANTREE_FAST: Spanning-tree fast convergence
+SPANTREE_VLAN_SW: Spanning-tree VLAN switch
+STACKMGR: Stack manager
+STORM_CONTROL: Storm control
+SUPERVISOR: Supervisor ASIC
+SUPQ: Supervisor queue
+SW_DAI: Dynamic ARP inspection
+SW_MACAUTH: MAC address authentication
+SW_MATM: MAC address table manager
+SW_VLAN: VLAN manager
+SW_QOS_TB: QoS trusted boundary
+TCAMMGR: Ternary content addressable memory manager
+UDLD: UniDirectional Link Detection
+UFAST_MCAST_SW: UplinkFast packet transmission
+VLMAPLOG: VLAN Access Map Logs
+VQPCLIENT: VLAN Query Protocol client
+WCCP: WCCP

data/logstash-input-sdee.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name        = 'logstash-input-sdee'
-  s.version     = '0.6.9'
+  s.version     = '0.7.0'
   s.date        = '2016-08-14'
   s.summary     = "Logstah SDEE input from Cisco ASA"
   s.description = "This Logstash input plugin allows you to call a Cisco SDEE/CIDEE HTTP API, decode the output of it into event(s), and send them on their merry way."

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-sdee
 version: !ruby/object:Gem::Version
-  version: 0.6.9
+  version: 0.7.0
 platform: ruby
 authors:
 - rootik
@@ -102,8 +102,12 @@ files:
 - Gemfile
 - LICENSE
 - README.md
+- examples/10-inputs.conf
+- examples/20-filter.conf
+- examples/30-outputs.conf
 - examples/patterns/cisco
-- examples/sdee.conf
+- examples/patterns/cisco.dictionary
+- examples/patterns/cisco.facility
 - lib/logstash/inputs/sdee.rb
 - logstash-input-sdee.gemspec
 homepage: http://rubygems.org/gems/logstash-input-sdee