Syslog from Cisco Ironport WSA / ESA

[mnasec]

I have implemented SO 2.3.91 (VM-Master, 2 HW-Forward nodes, 4 VM search nodes), peek traffic 4-5Gbit/s and about 140Mio logcounts per 24h
I added PA Firewall via panw filebeat module, works very well.

Question: I want to attach our 4 proxy servers (Cisco Ironport WSA) and the 3 email Gateways (Cisco Ironport ESA) as well to log into SO. But the filebeat module for Cisco does not support WSA/ESA out of the box. Has anybody integrated Cisco WSA/ESA into SO and may share his config?

Till now i did not try it via standard syslog, because i think there will be field mapping needed.

Thanks!
Marc

[joeb1kenobe]

I don’t know about ESA, but I have reviewed WSA logs and they appear to be standard Squid logs. You may want to try the squid filebeat for WSA logs. Joe

On Sat, Jan 8, 2022 at 9:55 AM mnasec ***@***.***> wrote: I have implemented SO 2.3.91 (VM-Master, 2 HW-Forward nodes, 4 VM search nodes), peek traffic 4-5Gbit/s and about 140Mio logcounts per 24h I added PA Firewall via panw filebeat module, works very well. Question: I want to attach our 4 proxy servers (Cisco Ironport WSA) and the 3 email Gateways (Cisco Ironport ESA) as well to log into SO. But the filebeat module for Cisco does not support WSA/ESA out of the box. Has anybody integrated Cisco WSA/ESA into SO and may share his config? Till now i did not try it via standard syslog, because i think there will be field mapping needed. Thanks! Marc — Reply to this email directly, view it on GitHub <#6799>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD6W6U65IH6JU2KKP5IEFLUVBF73ANCNFSM5LQWLHQQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.*** com>

-- Joe Brown

[mnasec]

Hi Joe, thanks a lot, i will try it this week and give an update.

[mnasec]

WSA is able to deliver the access logs in squid, squid detailed and apache log format. So i used squid format, Enabled in the forward minion-pillar squid log on port 9003 and opened the firewall for 9003 udp. So the WSA squid stream reaches the forward node and will be forwarded to the manager and later to the search nodes - so fine so good.

firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
        hostgroups:
          sensor_syslog_wsa:
            portgroups:
              - portgroups.wsa_syslog

filebeat:
  third_party_filebeat:
    modules:
      squid:
        log:
          enabled: true
          var.syslog_host: 0.0.0.0
          var.syslog_port: 9003

But it seems, that the WSA is no so compatible with the squid log parser - here is one original event, snipped out sensitiv information:
<14>Jan 21 16:25:20 <<SNIPP-ProxyName>> <<SNIPP-NameLogSubscription>>: Info: 1642778720.409 1 <<SNIPP-Client-IP>> TCP_DENIED/403 0 CONNECT tunnel://hangouts.google.com:443/ - NONE/- - BLOCK_AVC_12-Internal-Internal-NONE-NONE-NONE-NONE-NONE <"IW_chat",6.9,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_chat",-,"-","Chat and Instant Messaging","-","Google+ Hangouts/Chat","Google+","Encrypted","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
But i was expecting in one of the fields the Client-IP address, who uses the WSA proxy server, but i did not see it in ELK or hunt, attached the json view:

<<SNIPP>>
   "server": {
      "registered_domain": "google.com",
      "top_level_domain": "com",
      "domain": "hangouts.google.com",
      "subdomain": "hangouts"
    },
    "rsa": {
      "internal": {
        "messageid": "CONNECT",
        "hcode": "NONE"
      },
      "web": {
        "alias_host": "hangouts.google.com"
      },
      "investigations": {
        "ec_subject": "NetworkComm",
        "ec_theme": "ALM"
      },
      "time": {
        "event_time_str": "Jan 21 16:25:20 <<SNIPP-ProxyName>>",
        "duration_time": null
      },
      "network": {
        "domain": "hangouts.google.com"
      },
      "misc": {
        "content_type": "- BLOCK_AVC_12-Internal-Internal-NONE-NONE-NONE-NONE-NONE <\"IW_chat\",6.9,1,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,\"IW_chat\",-,\"-\",\"Chat and Instant Messaging\",\"-\",\"Google+ Hangouts/Chat\",\"Google+\",\"Encrypted\",\"-\",0.00,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\",-> -",
        "action": [
          "1642778720.409 1 <<SNIPP-Client-IP>> TCP_DENIED",
          "CONNECT"
        ],
        "result_code": "403"
      }
    },
<<SNIPP>>
 "rsa.misc.action": [
      "1642778720.409 1 <<SNIPP-Client-IP>> TCP_DENIED",
      "CONNECT"
    ],
<<SNIPP>>
"event.action.security": [
      "1642778720.409 1 <<SNIPP-Client-IP>> TCP_DENIED"
    ],
<<SNIIPP>>
 "event.action": [
      "1642778720.409 1 <<SNIPP-Client-IP>> TCP_DENIED"
    ],
<<SNIPP>>
"event.action.keyword": [
      "1642778720.409 1 <<SNIPP-Client-IP>> TCP_DENIED"
    ],

So for me it seems, that the parser is not compatible to the log format and i possible need to modify it.
The original client ip address is part of the following fields:

• misc.action
• event.original
• event.action
• rsa.misc.action
• event.action.security
• event.original.security
• event.action.keyword

[mnasec]

So it is running now for a week, configured as described above, and it is usable, so i will keep it this way.

[nicabi]

Hello @mnasec, did you end up modifying the parser or used it as it is? If so, do you still have the configuration or can guide me on how to approach this? e.g. do I need to modify the ingest pipeline for squid or is there another place where I need to modify the parser?

[mnasec]

I did not modify the parser, so the client ip is not indexed, but a classic search found e.g. the ip address also. So in sum, it works for my kind of search.
For the ESA logs, i will try it with the elastic agent and so i need to setup a 2.4 SO installation. With SO 2.4, elastic agent will be supported and elastic agent will support ESA also.
Hope this helps :-)

[nicabi]

Thank you for the response!
I was more interested in the WSA logs, but it's good to know ESA will be supported in SO 2.4.
For now I'll also settle for the general parser, but might try to write another one later.