Skip to content

[cisco_asa] Loosen a grok pattern to allow for IPs and hostnames #11378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 10, 2024
Merged

[cisco_asa] Loosen a grok pattern to allow for IPs and hostnames #11378

merged 3 commits into from
Oct 10, 2024

Conversation

dwhyrock
Copy link
Contributor

@dwhyrock dwhyrock commented Oct 9, 2024
edited
Loading

Proposed commit message

Some of the AAA log messages can have hostnames for the server = field. This loosens up the grok pattern to use IPORHOST instead of just IP.

This also adds a new pattern to allow for an unhandled ICMP message with a value of <unknown> for the Original IP payload value.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@dwhyrock dwhyrock requested a review from a team as a code owner October 9, 2024 13:44
@andrewkroh andrewkroh added bugfix Pull request that fixes a bug issue Integration:cisco_asa Cisco ASA Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Oct 9, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

gogochan
gogochan approved these changes Oct 9, 2024
View reviewed changes
Copy link
Contributor

@gogochan gogochan left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - merge conflict.

jrmolin
jrmolin approved these changes Oct 9, 2024
View reviewed changes
Copy link
Contributor

@jrmolin jrmolin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me. Also looks like the example data is generic enough. Are those the correct numbers? 113004, 113005, 313005? Mostly the 313005. It probably is. I could look it up, but I'm just going to talk to myself in this little box here. It looks good.

@dwhyrock
Copy link
Contributor Author

Are those the correct numbers? 113004, 113005, 313005? Mostly the 313005. It probably is. I could look it up, but I'm just going to talk to myself in this little box here. It looks good.

Those numbers were from actual logs. I only changed the IPs/Hostnames to be generic, but left those values alone.

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

@dwhyrock dwhyrock merged commit 5dc9792 into elastic:main Oct 10, 2024
5 checks passed
@dwhyrock dwhyrock deleted the cisco-asa-use-iporhost branch October 10, 2024 15:58
@elastic-vault-github-plugin-prod
Copy link

Package cisco_asa - 2.38.1 containing this change is available at https://epr.elastic.co/search?package=cisco_asa

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@dwhyrock
[cisco_asa] Loosen a grok pattern to allow for IPs and hostnames (ela…
43ce9ba 
…stic#11378)

* Adding new logs and fixes

* Adding new expected logs, as well as changelog and manifest updates
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@dwhyrock
[cisco_asa] Loosen a grok pattern to allow for IPs and hostnames (ela…
fe36fa8 
…stic#11378)

* Adding new logs and fixes

* Adding new expected logs, as well as changelog and manifest updates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taylor-swanson taylor-swanson taylor-swanson left review comments

@jrmolin jrmolin jrmolin approved these changes

@gogochan gogochan gogochan approved these changes

Assignees
No one assigned
Labels
bugfix Pull request that fixes a bug issue Integration:cisco_asa Cisco ASA Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dwhyrock @elasticmachine @jrmolin @gogochan @taylor-swanson @andrewkroh