Cisco ASA

Шаблоны grok, используемые для Cisco ASA (Adaptive Security Appliance) — серия аппаратных межсетевых экранов, разработанных компанией Cisco Systems.

#== Cisco ASA ==
CISCO_TAGGED_SYSLOG ^%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}

# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound

# ASA-6-106015
CISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IP:source_ip}/%{INT:source_port} to %{IP:destination_ip}/%{INT:destination_port} flags %{DATA:tcp_flags}  on interface %{GREEDYDATA:interface}

# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:source_interface}:%{IP:source_ip}/%{INT:source_port}( \(%{IP:source_mapped_ip}/%{INT:source_mapped_port}\))?(\(%{DATA:source_user}\))? to %{DATA:destination_interface}:%{IP:destination_ip}/%{INT:destination_port}( \(%{IP:destination_mapped_ip}/%{INT:destination_mapped_port}\))?(\(%{DATA:destination_user}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%{DATA:user}\))?

# ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006
CISCOFW710001_710002_710003_710005_710006 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:source_ip}/%{INT:source_port} to %{DATA:destination_interface}:%{IP:destination_ip}/%{INT:destination_port}

## catch-all
CISCO_ASA_MSG %{CISCOFW106001}|%{CISCOFW106006_106007_106010}|%{CISCOFW106014}|%{CISCOFW106015}|%{CISCOFW106021}|%{CISCOFW106023}|%{CISCOFW106100}|%{CISCOFW110002}|%{CISCOFW302010}|%{CISCOFW302013_302014_302015_302016}|%{CISCOFW302020_302021}|%{CISCOFW305011}|%{CISCOFW313001_313004_313008}|%{CISCOFW313005}|%{CISCOFW402117}|%{CISCOFW402119}|%{CISCOFW419001}|%{CISCOFW419002}|%{CISCOFW500004}|%{CISCOFW602303_602304}|%{CISCOFW710001_710002_710003_710005_710006}|%{CISCOFW713172}|%{CISCOFW733100}
#== End Cisco ASA ==

Последнее изменение 23.03.2023