Issue Extracting data from ASA message Field

Hi, so I am trying to extract users IP from our ASA logs as they are bundled into the message field. However, whenever I build an extractor for this, or a pipeline, the messages it affects appear to stop coming into the streams.

For my extractor, I used the follow RegEX to extract the IP

> IP <(.+?)> is working in principal according to the extractor test when building it. But any logs affected just stop coming through.

My pipeline was something similar:
rule “aws-asa-ip-connection”
when
has_field(“message”)
then
let x = regex("> IP \<(.+?)\>", to_string($message.message));
set_field(“UserHomeIP”,x);
end
But whenn I activate the pipeline, all messages in asa stream just stop coming through. What am I missing here?

Please post example message you want to parse…

It is the IPv4 address. In the message it could like IP <X.X.X.X> and what i have provided above extracts X.X.X.X according to the testing tool. So in theory the regex is working fine.

Please post complete ASA example message with random IP, not only IP part.

Apologies.

%ASA-5-722033: Group <REDACTED> User <USERNAME> IP <X.X.X.X> First UDP SVC connection established for SVC session.

I have redacted the message, but above is the contents of the message field when a user connects to the VPN

1. You use probably wrong regex? Why there is a > in beginning of regex?
2. You use wrong definition of group matching in line set_field

Correct one should be:

rule "aws-asa-ip-connection"
when
has_field("message")
then
let x = regex("IP \<(.+?)\>", to_string($message.message));
set_field("UserHomeIP", x["0"]);
end

I am quite new to regex, i believed I was using this to grab the position before IP so it knew where to start, but thinking about it you’re right IP should be enough. Thank you very much though, I will try and confirm.

Hi, I have updated my pipeline to your recommendation and the outcome is still the same, the messages it is processing are not appearing in my stream. I have just disconnected and reconnected and my connection message is not to be found. And all new connection messages stop seconds before i enabled the pipeline.

Check if you use right regex… Is real IP address in <X.X.X.X> or not? If not, your regex will not work.

Hi, yes it is - I have confirmed the regex works in the extractor test tool, as well as a RegEX web app.

I don’t have real ASA device, so check if:

1. Real message IP is either (with <>):
   %ASA-5-722033: Group <REDACTED> User <USERNAME> IP <192.168.1.1> First UDP SVC connection established for SVC session.
2. Or without <>:
   %ASA-5-722033: Group <REDACTED> User <USERNAME> IP 192.168.1.1 First UDP SVC connection established for SVC session.

The message does contain <>, this is why the regex pulls checks for anything within < > whilst ignoring the < >.

Just incase this also helps, the pipeline rule is set to run at stage 0 (this works fine for other pipelines I have, i have one for geo data and to lowecase target/subject usernames) and it will run if at least one rule matches (only 1 rule on the pipeline).

Have you considered using grok patterns to parse asa logs instead of regex?

I currently capture 722037 which is very similar by using the following.

“Group <%{WORD:groupname}> User <%{NOTSPACE:user}> IP <%{IP:src_ip}> SVC closing connection: Transport closing.”

You can take a look at my github since I have others there. Hope it helps you out.

you might find this useful

Thanks acl, I will give this a go, much appreciated!

Also, thanks for the link jan, i will give this a read through

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.