Skip to main content
Antonio2022
Antonio2022
New Member
July 21, 2021
Question

CiscoFTDParser - not parsing all fields

  • July 21, 2021
  • 1 reply
  • 2585 views
Hello there,

I am currently on version 6.1.1 and noticed that "CiscoFTDParser" is not parsing all the fields.

A little of everything is happening:
1- For some evens the "Computer" fields is been assign to "user" field.
2- Multiples fields as missing such as Group, Source IP, User name (showing Display name, required to removed the space and add a ".")

See below sample logs that are having the issue:

<165>Jul 21 2021 17:14:38 firepower : %FTD-5-722011: Group <Name-AnyConnect-Group-Policy> User <Adam Blue> IP <185.90.41.202> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..

<165>Jul 21 17:14:49 firepower : %FTD-5-722028: Group <Name-AnyConnect-Group-Policy> User <Adam Blue2> IP <185.90.41.202> Stale SVC connection closed.

---------------------------------------------------------------------------------
<164>Jul 21 17:14:50 firepower : %FTD-4-313005: No matching connection for ICMP error message: icmp src Name-VPN_PO1.804:10.10.16.254(LOCAL\Adam Blue3) dst Inside_Zone:10.10.10.29 (type 3, code 3) on DName-VPN_PO1.804 interface. Original IP payload: udp src 10.10.10.29/53 dst 10.10.10.254/60321.


I am not sure is there is something wrong with he regex expression below (that is suppose to parse the event above) or something else within the parser that is not parsing most of the events types.

Any help will be appreciate it

Thanks

 
</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>

    1 reply

    KarnGriffen
    KarnGriffen
    Explorer II
    July 22, 2021
    Tony,

    The Events you list above 722011, 722028, and 313005 would not match the sample you posted, which is event ID 111009.  For each of those event types listed, you would need to find the relevant block, for example, look for a when block that starts with this:
    <when test="$_evtId = '722011'">

    At quick glance on my 6.1.1 instance, I don't see 722011 or 722028 created in the parser, which means you would have to add <when> blocks for those IDs.  I do see one for 313005, which doesn't seem to parse out much other than source and destination interface name:

    <when test="$_evtId = '313005'">
    <!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
    <collectFieldsByRegex src="$_body">
    <regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
    </collectFieldsByRegex>
    </when>
    -------------------------------------------
    Original Message:
    Sent: Jul 21, 2021 10:36 AM
    From: Tony C
    Subject: CiscoFTDParser - not parsing all fields

    Hello there,

    I am currently on version 6.1.1 and noticed that "CiscoFTDParser" is not parsing all the fields.

    A little of everything is happening:
    1- For some evens the "Computer" fields is been assign to "user" field.
    2- Multiples fields as missing such as Group, Source IP, User name (showing Display name, required to removed the space and add a ".")

    See below sample logs that are having the issue:

    <165>Jul 21 2021 17:14:38 firepower : %FTD-5-722011: Group <Name-AnyConnect-Group-Policy> User <Adam Blue> IP <185.90.41.202> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..

    <165>Jul 21 17:14:49 firepower : %FTD-5-722028: Group <Name-AnyConnect-Group-Policy> User <Adam Blue2> IP <185.90.41.202> Stale SVC connection closed.

    ---------------------------------------------------------------------------------
    <164>Jul 21 17:14:50 firepower : %FTD-4-313005: No matching connection for ICMP error message: icmp src Name-VPN_PO1.804:10.10.16.254(LOCAL\Adam Blue3) dst Inside_Zone:10.10.10.29 (type 3, code 3) on DName-VPN_PO1.804 interface. Original IP payload: udp src 10.10.10.29/53 dst 10.10.10.254/60321.


    I am not sure is there is something wrong with he regex expression below (that is suppose to parse the event above) or something else within the parser that is not parsing most of the events types.

    Any help will be appreciate it

    Thanks

    </when>
    <when test="$_evtId = '111009'">
    <!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
    </collectAndSetAttrByRegex>
    </when>
    Antonio2022
    Antonio2022Author
    New Member
    July 22, 2021
    Thank you so much Karn.
    Got it, I need to add multiples events types as they are not included on the parser.-------------------------------------------
    Original Message:
    Sent: Jul 22, 2021 09:29 AM
    From: Karn Griffen
    Subject: CiscoFTDParser - not parsing all fields

    Tony,

    The Events you list above 722011, 722028, and 313005 would not match the sample you posted, which is event ID 111009.  For each of those event types listed, you would need to find the relevant block, for example, look for a when block that starts with this:
    <when test="$_evtId = '722011'">

    At quick glance on my 6.1.1 instance, I don't see 722011 or 722028 created in the parser, which means you would have to add <when> blocks for those IDs.  I do see one for 313005, which doesn't seem to parse out much other than source and destination interface name:

    <when test="$_evtId = '313005'">
    <!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
    <collectFieldsByRegex src="$_body">
    <regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
    </collectFieldsByRegex>
    </when>

    Original Message:
    Sent: Jul 21, 2021 10:36 AM
    From: Tony C
    Subject: CiscoFTDParser - not parsing all fields

    Hello there,

    I am currently on version 6.1.1 and noticed that "CiscoFTDParser" is not parsing all the fields.

    A little of everything is happening:
    1- For some evens the "Computer" fields is been assign to "user" field.
    2- Multiples fields as missing such as Group, Source IP, User name (showing Display name, required to removed the space and add a ".")

    See below sample logs that are having the issue:

    <165>Jul 21 2021 17:14:38 firepower : %FTD-5-722011: Group <Name-AnyConnect-Group-Policy> User <Adam Blue> IP <185.90.41.202> SVC Message: 17/WARNING: Reconnecting the VPN tunnel..

    <165>Jul 21 17:14:49 firepower : %FTD-5-722028: Group <Name-AnyConnect-Group-Policy> User <Adam Blue2> IP <185.90.41.202> Stale SVC connection closed.

    ---------------------------------------------------------------------------------
    <164>Jul 21 17:14:50 firepower : %FTD-4-313005: No matching connection for ICMP error message: icmp src Name-VPN_PO1.804:10.10.16.254(LOCAL\Adam Blue3) dst Inside_Zone:10.10.10.29 (type 3, code 3) on DName-VPN_PO1.804 interface. Original IP payload: udp src 10.10.10.29/53 dst 10.10.10.254/60321.


    I am not sure is there is something wrong with he regex expression below (that is suppose to parse the event above) or something else within the parser that is not parsing most of the events types.

    Any help will be appreciate it

    Thanks

    </when>
    <when test="$_evtId = '111009'">
    <!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
    </collectAndSetAttrByRegex>
    </when>
    Terms & ConditionsAccessibility statement