[AI-6402] DDS: Cisco Secure Client Integration v1.0.0 #22260
Conversation
datadog-agent-integrations-bot
bot
added
documentation
dev/testing
dev/tooling
release
qa/skip-qa
manan-crest
changed the title
manan-crest
force-pushed
the
cisco-secure-client-v1.0.0
branch
from
607d9b4 to
eed9136
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| '%{regex("[^']*"):usr.name}' local ip %{ip:local_ip} | ||
| (connected|reconnected) from %{ip:network.client.ip} | ||
|
|
||
| parsing_session_connection %{parse_event_type_header}'%{parse_session_id_ip_and_user}:\s*%{regex("Session disconnected|Session connected"):action}. Session Type:\s*%{notSpace:session_type}(, Duration:\s*%{notSpace:duration}, Bytes xmt:\s*%{number:network.bytes_read}, Bytes rcv:\s*%{number:network.bytes_written}, Reason:\s*%{regex(".*(?= \\')"):reason})?\s*' |
There was a problem hiding this comment.
The Meraki session parser maps Bytes xmt to network.bytes_read and Bytes rcv to network.bytes_written, which inverts transmitted vs. received counts. For AnyConnect session manager logs that include these fields, downstream dashboards and analytics will show read/write byte totals swapped (xmt is outbound, rcv is inbound). This affects any events type=anyconnect_vpn_session_manager messages with byte counters.
Useful? React with 👍 / 👎.
cisco_secure_client/datadog_checks/cisco_secure_client/data/conf.yaml.example
Show resolved
Hide resolved
manan-crest
changed the title
hestonhoffman
added
the
editorial review
manan-crest
force-pushed
the
cisco-secure-client-v1.0.0
branch
from
7a55cb3 to
640871c
Compare
|
The following files, which will be shipped with the agent, were modified in this PR and You can ignore this if you are sure the changes in this PR do not require QA. Otherwise, consider removing the label. List of modified files that will be shipped with the agent |
manan-crest
force-pushed
the
cisco-secure-client-v1.0.0
branch
from
c3808b8 to
9a12c78
Compare
…sco-secure-client-v1.0.0
|
Also not sure why the validation is failing right now. Can you retrigger to validation by making the version change that I suggested above? Maybe it's a CI flake. |
| - type: arithmetic-processor | ||
| name: Convert epoch time to millisecond | ||
| enabled: true | ||
| expression: epoch_time * 1000 | ||
| target: timestamp | ||
| replaceMissing: false | ||
| - type: date-remapper | ||
| name: Define `timestamp` as the official date of the log | ||
| enabled: true | ||
| sources: | ||
| - timestamp | ||
| - type: message-remapper | ||
| name: Define `message` as the official message of the log | ||
| enabled: true | ||
| sources: | ||
| - message |
There was a problem hiding this comment.
Is there a specific reason these remappers are in between grok parsing pipelines? Normally we parse everything and then remap them to more standard attributes. If there's a specific reason that's fine. Just curious.
There was a problem hiding this comment.
We usually keep the date remapper close to the grok parser where the timestamp is extracted for easier access. For the message remapper, we remap the message from the first grok parser and then use the updated value as input for the second grok parser.
| rule_113035 %{parse_group_user_ip} Session terminated: AnyConnect not | ||
| enabled or invalid AnyConnect image on the %{greedyData:device_name} | ||
|
|
||
| rule_716059 Group %{regex(".*(?= User )"):group} User %{notSpace:usr.name} IP %{ip:source_ip} AnyConnect session resumed connection from IP %{ip:network.client.ip}(.)? |
There was a problem hiding this comment.
What's the difference between ip:source_ip and ip:network.client.ip? Maybe this can also be nested under network? network.source.ip if they represent different things maybe?
There was a problem hiding this comment.
source_ip is the original IP when the session starts, while network.client.ip is the IP used to resume the session.
Sure, I have changed mapping to network.source.ip.
| - "<190>2025-11-20T07:37:58Z: %FTD-6-113039: Group group User test-user | ||
| IP 10.10.10.10 AnyConnect_parent session started." |
There was a problem hiding this comment.
| - "<190>2025-11-20T07:37:58Z: %FTD-6-113039: Group group User test-user | |
| IP 10.10.10.10 AnyConnect_parent session started." |
nit. duplicate
| <br> | ||
| <b>Note</b>: To forward Cisco Secure Client logs, syslog must be configured on the Cisco firewall (ASA, FTD, or Meraki) platform that you are using with Cisco Secure Client. | ||
| </br> |
There was a problem hiding this comment.
Is there a reason why you're using HTML here instead of Markdown for bolding the note?
There was a problem hiding this comment.
We used HTML here mainly to get some extra spacing above and below the note.
There was a problem hiding this comment.
I see, thanks. You can leave the <br> tags but I don't think you need to use HTML for the bolding. I'll add a suggestion.
There was a problem hiding this comment.
Have made the changes as suggested below.
cisco_secure_client/README.md
Outdated
| If you see the **Port <PORT-NO\> Already in Use** error, see the following instructions. The example below is for `PORT-NO = 514`. | ||
|
|
||
| On systems using syslog, if the Agent listens for logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. | ||
|
|
||
| This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: | ||
|
|
||
| - Disable syslog, or | ||
| - Configure the Agent to listen on a different, available port. |
There was a problem hiding this comment.
| If you see the **Port <PORT-NO\> Already in Use** error, see the following instructions. The example below is for `PORT-NO = 514`. | |
| On systems using syslog, if the Agent listens for logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. | |
| This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: | |
| - Disable syslog, or | |
| - Configure the Agent to listen on a different, available port. | |
| On systems using syslog, if the Agent listens for logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. | |
| By default, syslog listens on port 514. To resolve this error, take **one** of the following steps: | |
| - Disable syslog, or | |
| - Configure the Agent to listen on a different, available port. |
temporal-github-worker-1
bot
added
docs/requested-changes
and removed
docs/review-requested
labels
…into cisco-secure-client-v1.0.0
|
@manan-crest a new validation was recently added can you add a owner field for this integration like so: |
evazorro
left a comment
evazorro
left a comment
There was a problem hiding this comment.
Thank you for making those changes! One more small suggestion.
temporal-github-worker-1
bot
added
agent/approved
and removed
agent/review-requested
labels
temporal-github-worker-1
bot
added
docs/approved
and removed
docs/requested-changes
labels
4 participants
What does this PR do?
This is a initial release PR of Cisco Secure Client integration including all the required assets.
Integration Logo Sources: https://upload.wikimedia.org/wikipedia/commons/0/08/Cisco_logo_blue_2016.svg
Review checklist (to be filled by reviewers)
qa/skip-qalabel if the PR doesn't need to be tested during QA.backport/<branch-name>label to the PR and it will automatically open a backport PR once this one is merged