Merge branch 'develop' into feature/udp-multi-listener

docs/configuration.md

@@ -228,7 +228,7 @@ docker stack deploy --compose-file docker-compose.yml sc4s
 ## Dropping all data by ip or subnet
 
 In some cases rogue or port-probing data can be sent to SC4S from misconfigured devices or vulnerability scanners. Update
-the `vendor_product_by_source.conf` filter `f_catch_first` with one or more ip/subnet masks to drop events without
+the `vendor_product_by_source.conf` filter `f_null_queue` with one or more ip/subnet masks to drop events without
 logging. Note that drop metrics will be recorded.
 
 

docs/sources/Cisco/index.md

@@ -97,7 +97,7 @@ index=<asconfigured> sourcetype=cisco:apic:*
 
 Verify timestamp, and host values match as expected    
 
-## Product - ASA (Pre Firepower)
+## Product - ASA AND FTD (Firepower)
 
 | Ref            | Link                                                                                                    |
 |----------------|---------------------------------------------------------------------------------------------------------|
@@ -109,7 +109,7 @@ Verify timestamp, and host values match as expected
 
 | sourcetype     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| cisco:asa      | None                                                                                                    |
+| cisco:asa      | cisco FTD Firepower will also use this source type                                                      |
 | cisco:pix      | Not supported                                                                                           |
 | cisco:fwsm     | Not supported                                                                                           |
 

package/etc/conf.d/filters/cisco/asa.conf

@@ -1,8 +1,11 @@
 filter f_cisco_asa {
     message('^%ASA-\d+-\d{1,10}: ') or
-    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
+    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")) or
+    message('^%FTD-\d+-\d{1,10}: ') or
+    match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
 };
 
 filter f_cisco_asa_nohost {
-    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
+    match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"))
+    or match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
 };

package/etc/conf.d/filters/misc/null_queue.conf

@@ -0,0 +1,5 @@
+#f_null_queue
+filter f_null_queue {
+    match("^null_queue", value("fields.sc4s_vendor_product"));
+
+};

package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl → package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl

@@ -2,7 +2,7 @@
 # vulnerability scanners to be ignored
 log {
 
-    filter(f_catch_first);
+    filter(f_null_queue);
 
     flags(catchall,final);
 

package/etc/context_templates/vendor_product_by_source.conf.example

@@ -2,7 +2,7 @@ filter f_test_test {
     host("testvp-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
-filter f_catch_first {
+filter f_null_queue {
    netmask(169.254.100.0/24)
 };
 

package/etc/context_templates/vendor_product_by_source.csv.example

@@ -1,6 +1,6 @@
 f_test_test,sc4s_vendor_product,"test_test"
 f_brocade_syslog,sc4s_vendor_product,"brocade_syslog"
-f_catch_first,sc4s_vendor_product,"catch_first"
+f_null_queue,sc4s_vendor_product,"catch_first"
 f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
 f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
 f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid"