Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cisco module ingest processor for ASA 304001 events doesn't account for all possibilities #18597

Closed
A-Hall opened this issue May 15, 2020 · 0 comments · Fixed by #20565
Closed

Comments

@A-Hall
Copy link
Member

A-Hall commented May 15, 2020

  • Version: 7.6.x
  • Steps to Reproduce:

The ASA 304001 log event can produce log lines similar to both of the following:

Apr 27 04:18:49 some-random-vpn-fw-01 : %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/
Apr 27 17:54:52 some-random-fw-01 : %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/?class.classLoader.URLs[0]=struts_2_3_16_1_classloader_manipulation-1588024492

Currently the dissect processor used for this log type only account fro the first log line above.

pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant