Skip to content

[cisco_asa] Add 'Users account has expired' to AAA rejection reasons.#19831

Merged
haetamoudi merged 2 commits into
mainfrom
fix/0-add-users-account-has-expired-to-02196992
Jul 1, 2026
Merged

[cisco_asa] Add 'Users account has expired' to AAA rejection reasons.#19831
haetamoudi merged 2 commits into
mainfrom
fix/0-add-users-account-has-expired-to-02196992

Conversation

@haetamoudi

Copy link
Copy Markdown
Contributor

Executive summary

Adds support for the 'Users account has expired' rejection reason to the parse_113005 grok pattern in the Cisco ASA ingest pipeline. This missing case was preventing proper parsing of authentication rejection logs with this specific reason. The fix updates the REASON pattern definition, includes a comprehensive test case with expected output, and bumps the package version to 2.45.9.

Proposed commit message

[cisco_asa] Add 'Users account has expired' to AAA rejection reasons.

Root cause

The REASON pattern in the parse_113005 grok processor is incomplete and does not include 'Users account has expired' as a valid rejection reason, even though Cisco ASA documents this as a valid AAA authentication failure reason. When an event contains this reason value, the grok pattern fails to match, causing the event to be routed to on_failure.

Approach

Add 'Users account has expired' to the REASON pattern_definitions in the parse_113005 grok processor of the default pipeline. This rejection reason is documented by Cisco but was missing from the pattern, causing valid events to fail matching. The fix expands the pattern to include this vendor-documented rejection reason and adds a test fixture to prevent regression.

Implementation

    1. Read packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml and locate the parse_113005 processor (line ~423-434)
    1. Update the REASON pattern_definitions on line ~431 to include 'Users account has expired' in the alternation list
    1. Add a new test case to packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log with the sanitized event
    1. Generate expected output for the new test case in the corresponding .log-expected.json file using elastic-package test
    1. Verify the grok pattern now matches the new rejection reason by running elastic-package test pipeline
    1. Update packages/cisco_asa/changelog.yml with a bugfix entry documenting the fix

Pipeline changes

  • Update REASON pattern in parse_113005 processor to include 'Users account has expired' as valid rejection reason value

Field / mapping changes

Sanitized error message

Processor 'grok' with tag 'parse_113005' in pipeline 'logs-cisco_asa.log-default' failed with message '[on_failure_message]'

Sanitized log (event_sanitized excerpt)

<166>:: %ASA-auth-6-113005: AAA user authentication Rejected : reason = Users account has expired : server = 198.51.100.10 : user = alice.johnson : user IP = 203.0.113.20

Reviewer concerns

The [clean] stage exited with code 1 during testing. While all functional tests (test-pipeline, test-static, test-system) pass successfully, the clean failure should be investigated to ensure there are no underlying package structure or artifact issues.

Self-review findings

Risk and classification

  • Plan risk level: low
  • Tags: pipeline, processors, ecs, ingest, test-fixture
  • Impact: medium

Links

  • Issue: (no issue number)
  • Issue title: cisco_asa.log [MISSING_CASE]: Processor 'grok' with tag 'parse_113005' in pipeline 'logs-cisco_asa.log…
  • Pipeline case: 5bee0242e4bbdea5

@haetamoudi haetamoudi added enhancement New feature or request Integration:cisco_asa Cisco ASA source:integration_sentinel The PR was created via the Integration Sentinel pipeline Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels Jun 29, 2026
@github-actions

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

✅ All changelog entries have the correct PR link.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine

Copy link
Copy Markdown

💚 Build Succeeded

@haetamoudi haetamoudi marked this pull request as ready for review June 30, 2026 06:54
@haetamoudi haetamoudi requested a review from a team as a code owner June 30, 2026 06:54
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/integration-experience (Team:Integration-Experience)

@vera-review-bot

Copy link
Copy Markdown

👀 I have started reviewing the PR

@vera-review-bot

Copy link
Copy Markdown

Vera Review Bot

For the current commit state, I did not find any issues.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@mergify

mergify Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@haetamoudi haetamoudi merged commit adf837a into elastic:main Jul 1, 2026
9 checks passed
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

Package cisco_asa - 2.45.9 containing this change is available at https://epr.elastic.co/package/cisco_asa/2.45.9/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Integration:cisco_asa Cisco ASA source:integration_sentinel The PR was created via the Integration Sentinel pipeline Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants