[cisco_asa] Handle another variation of message 113040 (#11884)

* Handle another variation of 113040

* Updating changelog and manifest

* Add expected logs

* using two dissect processors

* updating tag name

packages/cisco_asa/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.38.3"
+  changes:
+    - description: "Handles another variation of log message type 113040 that includes a Group and Terminating message."
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11884
 - version: "2.38.2"
   changes:
     - description: "Add a check before a processor that consistently fails when invalid data transits the integration."

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-106023-iface-with-prefix.log-expected.json

@@ -673,4 +673,4 @@
             ]
         }
     ]
-}
+}

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log

@@ -13,3 +13,4 @@ Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-4-113040: Terminating the VPN
 <166>Jun 22 2022 13:29:11 single : %ASA-6-113039: Group <GroupPolicy_Remote-VPN> User <user-1> IP <81.2.69.144> AnyConnect parent session started.
 <166>Jun 22 2022 13:29:11 single : %ASA-6-113039: Group <GroupPolicy_Remote-VPN> User <first.o'[email protected]> IP <81.2.69.144> AnyConnect parent session started.
 <166>Jun 22 2022 13:29:11 single : %ASA-6-113039: Group <GroupPolicy Remote-VPN> User <first.o'[email protected]> IP <81.2.69.144> AnyConnect parent session started.
+<164>Nov 18 2024 12:28:57 asa5525x-01 : %ASA-4-113040: Group <Tunnel-Group-Name> User <vpnusername> IP <10.1.2.3> Terminating the VPN connection attempt from <Group-Attempted>. Reason: This connection is group locked to <Group-Locked>.

packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-anyconnect-messages.log-expected.json

@@ -1085,6 +1085,78 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2024-11-18T12:28:57.000Z",
+            "cisco": {
+                "asa": {
+                    "tunnel_group": "Group-Attempted"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "client-vpn-error",
+                "category": [
+                    "network"
+                ],
+                "code": "113040",
+                "kind": "event",
+                "original": "<164>Nov 18 2024 12:28:57 asa5525x-01 : %ASA-4-113040: Group <Tunnel-Group-Name> User <vpnusername> IP <10.1.2.3> Terminating the VPN connection attempt from <Group-Attempted>. Reason: This connection is group locked to <Group-Locked>.",
+                "outcome": "failure",
+                "severity": 4,
+                "timezone": "UTC",
+                "type": [
+                    "connection",
+                    "denied"
+                ]
+            },
+            "host": {
+                "hostname": "asa5525x-01"
+            },
+            "log": {
+                "level": "warning",
+                "syslog": {
+                    "facility": {
+                        "code": 20
+                    },
+                    "priority": 164,
+                    "severity": {
+                        "code": 4
+                    }
+                }
+            },
+            "observer": {
+                "hostname": "asa5525x-01",
+                "product": "asa",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "asa5525x-01"
+                ],
+                "ip": [
+                    "10.1.2.3"
+                ],
+                "user": [
+                    "vpnusername"
+                ]
+            },
+            "source": {
+                "address": "10.1.2.3",
+                "ip": "10.1.2.3",
+                "user": {
+                    "group": {
+                        "name": "Tunnel-Group-Name"
+                    },
+                    "name": "vpnusername"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }

packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -455,8 +455,14 @@ processors:
       description: "113023"
       pattern: "AAA Marking %{network.protocol} server %{destination.address} in aaa-server group %{}"
   - dissect:
-      if: "ctx._temp_.cisco.message_id == '113040'"
-      tag: parse_113040
+      if: "ctx._temp_.cisco.message_id == '113040' && ctx.message.startsWith('Group')"
+      tag: parse_113040_group
+      field: "message"
+      description: "113040"
+      pattern: "Group <%{source.user.group.name}> User <%{source.user.name}> IP <%{source.address}> Terminating the VPN connection attempt from <%{_temp_.cisco.tunnel_group}>. Reason: This connection is group locked to %{}."
+  - dissect:
+      if: "ctx._temp_.cisco.message_id == '113040' && !ctx.message.startsWith('Group')"
+      tag: parse_113040_no_group
       field: "message"
       description: "113040"
       pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}."

packages/cisco_asa/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_asa
 title: Cisco ASA
-version: "2.38.2"
+version: "2.38.3"
 description: Collect logs from Cisco ASA with Elastic Agent.
 type: integration
 categories: