Hello,
Following the recent update of the cisco asa TA to new major version 4.0.0, we have tested this on a test server with some cisco asa logs copied from our production.
Log extraction is good (even if the props and transforms files have drastically changed) and is more granular than before.
However, we encountered an issue concerning the "action" field that is very important with datamodels and enterprise security because it needs to be formatted like action=allowed OR action=teardown or action=blocked.
In fact, with regex extraction, from the raw logs, cisco asa TA is extracting values like "Deny", "Built" or "Teardown" and then there is a lookup called "cisco_asa_action_lookup" that match those actions and rewrite with the CIM compatibility (allowed, teardown or blocked).
But since 4.0.0 is not the case anymore, I mean the lookup has drastically changed too. Before 4.0.0 , if you take a "Deny" firewall event we had in the lookup the following translation :
vendor_action,action
deny,blocked
and effectively the action field was changed from "deny" to "blocked"
but now we have a lookup with (still with deny for example) :
vendor_action,message_id,action
deny,,deny
The workaround for us is to change the values in this lookup in order to be back to normal but I am not sure, is this a missing from the TA developper or is me ? Because the TA is "CIM compliant" but it's seems to not be the case here...
What are your thoughts ?
thanks in advance for the help
Vince
... View more