Skip to content

[Cisco ASA]: ASA Event Code 106023 "Deny" parse failure due to unexpected protocol field #16950

New issue
New issue
Open
Bug
Open
[Cisco ASA]: ASA Event Code 106023 "Deny" parse failure due to unexpected protocol field#16950
Bug
Labels
Integration:cisco_asaCisco ASATeam:Integration-ExperienceSecurity Integrations Integration Experience [elastic/integration-experience]bugSomething isn't working, use only for issues
@htbcallan

Description

@htbcallan
htbcallan
opened on Jan 13, 2026

Integration Name

Cisco ASA [cisco_asa]

Dataset Name

cisco_asa.log

Integration Version

2.44.1

Agent Version

9.2.3

Agent Output Type

elasticsearch

Elasticsearch Version

9.2.3

OS Version and Architecture

Ubuntu 22.04.5 LTS (AMD64)

Software/API Version

Cisco ASA 9.16(2)14

Error Message

Processor 'conditional' with tag 'parse_106023' in pipeline 'logs-cisco_asa.log-2.44.1' failed with message 'Provided Grok expressions do not match field value

Event Original

<166>Jan 11 2026 07:44:45: %ASA-6-106023: Deny protocol 0 src OUTSIDE:20.20.20.20 dst INSIDE:10.10.10.10 by access-group "ACL-OUTSIDE-IN" [0x0, 0x0]

What did you do?

Default Cisco ASA integration installation, no pipeline or other customizations

What did you see?

ASA 106023 events with error.message indicating grok parse failure when "protocol 0" is present in the original message

What did you expect to see?

Message should be correctly parsed and ingested without error

Anything else?

The parsing failure can be corrected by using the 'INT' predefined pattern in place of the 'POSINT' pattern.

Current grok expression (produces error):
^Deny ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{DATA:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{NUMBER:source.port})?\s*(\(%{CISCO_USER_OR_SGT_SRC}\) )?dst %{DATA:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{NUMBER:destination.port})?[(\s]+%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}?"

Adjusted grok expression (correctly parses "protocol 0"):
^Deny ((protocol %{INT:network.iana_number})|%{NOTSPACE:network.transport}) src %{DATA:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{NUMBER:source.port})?\s*(\(%{CISCO_USER_OR_SGT_SRC}\) )?dst %{DATA:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{NUMBER:destination.port})?[(\s]+%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}?"

The corresponding field "network.iana_number" is explicitly mapped as a keyword in the 'logs-cisco_asa.log@package' component template, so other predefined patterns could serve just as well without creating type issues, such as 'NONNEGINT', 'NUMBER' or even 'NOTSPACE'

Metadata

Metadata

Assignees

No one assigned

    Labels

    Integration:cisco_asaCisco ASATeam:Integration-ExperienceSecurity Integrations Integration Experience [elastic/integration-experience]bugSomething isn't working, use only for issues

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions