[Cisco FTD] Fix the handling of spaces in 113005 messages (#8798)

bhapas · web-flow · commit b01de9c94a50 · 2023-12-27T15:24:12.000+01:00
This PR fixes the parsing of a 113005 Cisco FTD message
diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.0.2"
+  changes:
+    - description: Fix the handling of spaces in 113005 messages.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/8798
 - version: "3.0.1"
   changes:
     - description: Fix exclude_files pattern.
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log
@@ -1,2 +1,3 @@
 <166>Sep 29 2022 15:00:15 hosty : %FTD-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF0079F5A) between 192.168.0.139 and 192.168.0.38 (user= 192.168.0.38) has been created.
 <166>Sep 29 2022 15:00:15 hosty : %FTD-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEAEE970F) between 192.168.0.38 and 192.168.0.139 (user= 192.168.0.38) has been deleted.
+<166>ACA1a-FW-FTDV01 %FTD-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 192.168.0.38 : user = scan : user IP = 192.168.0.139
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json
@@ -146,6 +146,66 @@
             "user": {
                 "name": "192.168.0.38"
             }
+        },
+        {
+            "destination": {
+                "address": "192.168.0.38",
+                "ip": "192.168.0.38"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "logon-failed",
+                "code": "113005",
+                "original": "<166>ACA1a-FW-FTDV01 %FTD-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 192.168.0.38 : user = scan : user IP = 192.168.0.139",
+                "outcome": "failure",
+                "severity": 6,
+                "timezone": "UTC"
+            },
+            "host": {
+                "hostname": "ACA1a-FW-FTDV01"
+            },
+            "log": {
+                "level": "informational",
+                "syslog": {
+                    "facility": {
+                        "code": 20
+                    },
+                    "priority": 166,
+                    "severity": {
+                        "code": 6
+                    }
+                }
+            },
+            "observer": {
+                "hostname": "ACA1a-FW-FTDV01",
+                "product": "ftd",
+                "type": "idps",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "ACA1a-FW-FTDV01"
+                ],
+                "ip": [
+                    "192.168.0.139",
+                    "192.168.0.38"
+                ],
+                "user": [
+                    "scan"
+                ]
+            },
+            "source": {
+                "address": "192.168.0.139",
+                "ip": "192.168.0.139",
+                "user": {
+                    "name": "scan"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }
diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -357,7 +357,7 @@ processors:
       description: "113005"
       field: "message"
       patterns:
-        - "AAA user authentication Rejected: reason = %{REASON}: server = %{IP:destination.address} : user = ?%{CISCO_USER:source.user.name}: user IP = %{IP:source.address}"
+        - "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?%{CISCO_USER:source.user.name}(%{SPACE})?: user IP = %{IP:source.address}"
       pattern_definitions:
         REASON: (AAA failure|Account has been disabled)
         CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?)
diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.0"
 name: cisco_ftd
 title: Cisco FTD
-version: "3.0.1"
+version: "3.0.2"
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration
 categories:

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`<166>Sep 29 2022 15:00:15 hosty : %FTD-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF0079F5A) between 192.168.0.139 and 192.168.0.38 (user= 192.168.0.38) has been created.`
`2`	`2`	`<166>Sep 29 2022 15:00:15 hosty : %FTD-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEAEE970F) between 192.168.0.38 and 192.168.0.139 (user= 192.168.0.38) has been deleted.`
	`3`	`+<166>ACA1a-FW-FTDV01 %FTD-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 192.168.0.38 : user = scan : user IP = 192.168.0.139`