Skip to content

Cisco Asa

Description

Constructor: Cisco

Product: Adaptive Security Appliance (ASA)

Log type(s): VPN

Theoretical injector performance

15906 EPS

Log sample

1
%ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 11.11.11.11 : user = myuser
1
%ASA-4-113019: Group = DefaultWEBVPNGroup, Username = user0228, IP = 1.1.1.1, Session disconnected. Session Type: SSL, Duration: 2h:10m:27s, Bytes xmt: 90485864, Bytes rcv: 9884373, Reason: User Requested
1
%ASA-6-716001: Group <randomgroup> User <myuser> IP <11.11.11.11> WebVPN session started.
1
%ASA-4-722051: Group <randomgroup> User <myuser> IP <11.11.11.11> Address <22.22.22.22> assigned to session

Parsing strategy

This parser is only base on grok patterns. All the logic rely on this file: [resources/patterns/cisco-asa.grok]. For each field, the grok variable follows this pattern:

document:[init][group][name] \<=> %{USERNAME:init_group_name}

Fields normalization

  • [type]
  • [alarm][sev]
  • [alarm_sev]
  • [alarm][id]
  • [alarm_id]
  • [init][group][name]
  • [init][user][name]
  • [init][host][ip]
  • [init][host][nat][ip]
  • [alarm][name]
  • [alarm][name]
  • [session][id]
  • [session][out][byte]
  • [session][in][byte]
  • [session][duration]
  • [rule][name]