[cisco_asa] Add 'Users account has expired' to AAA rejection reasons.#19831
Conversation
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
|
✅ All changelog entries have the correct PR link. |
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
|
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
|
👀 I have started reviewing the PR |
Vera Review BotFor the current commit state, I did not find any issues. 🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
|
|
Tick the box to add this pull request to the merge queue (same as
|
|
Package cisco_asa - 2.45.9 containing this change is available at https://epr.elastic.co/package/cisco_asa/2.45.9/ |
Executive summary
Adds support for the 'Users account has expired' rejection reason to the parse_113005 grok pattern in the Cisco ASA ingest pipeline. This missing case was preventing proper parsing of authentication rejection logs with this specific reason. The fix updates the REASON pattern definition, includes a comprehensive test case with expected output, and bumps the package version to 2.45.9.
Proposed commit message
Root cause
The REASON pattern in the parse_113005 grok processor is incomplete and does not include 'Users account has expired' as a valid rejection reason, even though Cisco ASA documents this as a valid AAA authentication failure reason. When an event contains this reason value, the grok pattern fails to match, causing the event to be routed to on_failure.
Approach
Add 'Users account has expired' to the REASON pattern_definitions in the parse_113005 grok processor of the default pipeline. This rejection reason is documented by Cisco but was missing from the pattern, causing valid events to fail matching. The fix expands the pattern to include this vendor-documented rejection reason and adds a test fixture to prevent regression.
Implementation
Pipeline changes
Field / mapping changes
—
Sanitized error message
Processor 'grok' with tag 'parse_113005' in pipeline 'logs-cisco_asa.log-default' failed with message '[on_failure_message]'Sanitized log (
event_sanitizedexcerpt)<166>:: %ASA-auth-6-113005: AAA user authentication Rejected : reason = Users account has expired : server = 198.51.100.10 : user = alice.johnson : user IP = 203.0.113.20Reviewer concerns
The [clean] stage exited with code 1 during testing. While all functional tests (test-pipeline, test-static, test-system) pass successfully, the clean failure should be investigated to ensure there are no underlying package structure or artifact issues.
Self-review findings
—
Risk and classification
Links
5bee0242e4bbdea5