Can't parse event as syslog rfc3164

Hello,

We are having problems with the'syslog' input of filebeat. I'm using the script for sending a single log to the filebeat syslog input.

I've noticed that the same message is being parsed because I can see the event on my logger server, and I've also noticed errors being sent to the log file, resulting in the loss of many logs.

Single Log:

Jan 24 2024 11:22:41  : %FTD-6-430003: EventPriority: Low, DeviceUUID: 70278058-1b77-11ec-a090-feeeb3702f49, InstanceID: 4, FirstPacketSecond: 2024-01-24T11:21:03Z, ConnectionID: 40428, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 92.204.128.155, SrcPort: 62416, DstPort: 4433, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Pol_Access_Control, AccessControlRuleName: Allow_URLs, Prefilter Policy: Default Prefilter Policy_1, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 98, InitiatorPackets: 14, ResponderPackets: 16, InitiatorBytes: 1802, ResponderBytes: 6133, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: d08c844c3b312370e87118a194ae6f8d52d3626b, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, SSLServerName: ns1002325.ip-92-204-128.us, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Neutral, URL: https://ns1002325.ip-92-204-128.us

Filebeat.yml configuration file:

fields_under_root: true
fields.collector_node_id: AgentServer

output.logstash:
   hosts: ["xx.xx.xx.xx:xxxx"]

max_procs: 4

queue:
  disk:  
    path: C:\Program Files\sequretek\Syslog\data\diskqueue
    max_size: 10GB
    segment_size: 1MB
    retry_interval: 1s

    
filebeat.inputs:
- type: syslog
  enabled: true
  keep_null: true
  format: auto
  timeout: 10
  protocol.udp:
    host: "0.0.0.0:514"

- type: syslog
  enabled: true
  format: auto
  timeout: 10
  keep_null: true
  protocol.tcp:
    host: "0.0.0.0:514"

Below is the error getting into log file.

{"log.level":"error","@timestamp":"2024-02-01T19:42:11.413+0530","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":285},"message":"can't parse event as syslog rfc3164","service.name":"filebeat","message":"Jan 24 2024 11:22:41  : %FTD-6-430003: EventPriority: Low, DeviceUUID: 70278058-1b77-11ec-a090-feeeb3702f49, InstanceID: 4, FirstPacketSecond: 2024-01-24T11:21:03Z, ConnectionID: 40428, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 92.204.128.155, SrcPort: 62416, DstPort: 4433, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Pol_Access_Control, AccessControlRuleName: Allow_URLs, Prefilter Policy: Default Prefilter Policy_1, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 98, InitiatorPackets: 14, ResponderPackets: 16, InitiatorBytes: 1802, ResponderBytes: 6133, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: d08c844c3b312370e87118a194ae6f8d52d3626b, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, SSLServerName: ns1002325.ip-92-204-128.us, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Neutral, URL: https://ns1002325.ip-92-204-128.us","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-02-01T19:42:12.398+0530","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":148},"message":"Failed to connect to backoff(async(tcp://172.24.2.55:7777)): dial tcp 172.24.2.55:7777: connectex: No connection could be made because the target machine actively refused it.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-01T19:42:12.398+0530","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":139},"message":"Attempting to reconnect to backoff(async(tcp://172.24.2.55:7777)) with 1 reconnect attempt(s)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-02-01T19:42:12.415+0530","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":285},"message":"can't parse event as syslog rfc3164","service.name":"filebeat","message":"Jan 24 2024 11:22:41  : %FTD-6-430003: EventPriority: Low, DeviceUUID: 70278058-1b77-11ec-a090-feeeb3702f49, InstanceID: 4, FirstPacketSecond: 2024-01-24T11:21:03Z, ConnectionID: 40428, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 92.204.128.155, SrcPort: 62416, DstPort: 4433, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Pol_Access_Control, AccessControlRuleName: Allow_URLs, Prefilter Policy: Default Prefilter Policy_1, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 98, InitiatorPackets: 14, ResponderPackets: 16, InitiatorBytes: 1802, ResponderBytes: 6133, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: d08c844c3b312370e87118a194ae6f8d52d3626b, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, SSLServerName: ns1002325.ip-92-204-128.us, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Neutral, URL: https://ns1002325.ip-92-204-128.us","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-02-01T19:42:13.419+0530","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":285},"message":"can't parse event as syslog rfc3164","service.name":"filebeat","message":"Jan 24 2024 11:22:41  : %FTD-6-430003: EventPriority: Low, DeviceUUID: 70278058-1b77-11ec-a090-feeeb3702f49, InstanceID: 4, FirstPacketSecond: 2024-01-24T11:21:03Z, ConnectionID: 40428, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 92.204.128.155, SrcPort: 62416, DstPort: 4433, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Pol_Access_Control, AccessControlRuleName: Allow_URLs, Prefilter Policy: Default Prefilter Policy_1, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 98, InitiatorPackets: 14, ResponderPackets: 16, InitiatorBytes: 1802, ResponderBytes: 6133, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: d08c844c3b312370e87118a194ae6f8d52d3626b, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, SSLServerName: ns1002325.ip-92-204-128.us, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Neutral, URL: https://ns1002325.ip-92-204-128.us","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-02-01T19:42:14.421+0530","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":285},"message":"can't parse event as syslog rfc3164","service.name":"filebeat","message":"Jan 24 2024 11:22:41  : %FTD-6-430003: EventPriority: Low, DeviceUUID: 70278058-1b77-11ec-a090-feeeb3702f49, InstanceID: 4, FirstPacketSecond: 2024-01-24T11:21:03Z, ConnectionID: 40428, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 92.204.128.155, SrcPort: 62416, DstPort: 4433, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Pol_Access_Control, AccessControlRuleName: Allow_URLs, Prefilter Policy: Default Prefilter Policy_1, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 98, InitiatorPackets: 14, ResponderPackets: 16, InitiatorBytes: 1802, ResponderBytes: 6133, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: d08c844c3b312370e87118a194ae6f8d52d3626b, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, SSLServerName: ns1002325.ip-92-204-128.us, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Neutral, URL: https://ns1002325.ip-92-204-128.us","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-02-01T19:42:15.424+0530","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":285},"message":"can't parse event as syslog rfc3164","service.name":"filebeat","message":"Jan 24 2024 11:22:41  : %FTD-6-430003: EventPriority: Low, DeviceUUID: 70278058-1b77-11ec-a090-feeeb3702f49, InstanceID: 4, FirstPacketSecond: 2024-01-24T11:21:03Z, ConnectionID: 40428, AccessControlRuleAction: Allow, SrcIP: 0.0.0.0, DstIP: 92.204.128.155, SrcPort: 62416, DstPort: 4433, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Pol_Access_Control, AccessControlRuleName: Allow_URLs, Prefilter Policy: Default Prefilter Policy_1, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 98, InitiatorPackets: 14, ResponderPackets: 16, InitiatorBytes: 1802, ResponderBytes: 6133, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: None, SSLFlowStatus: Success, SSLCipherSuite: Unknown, SSLCertificate: d08c844c3b312370e87118a194ae6f8d52d3626b, SSLVersion: Unknown, SSLServerCertStatus: Valid, SSLActualAction: Do Not Decrypt, SSLExpectedAction: Do Not Decrypt, SSLServerName: ns1002325.ip-92-204-128.us, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Neutral, URL: https://ns1002325.ip-92-204-128.us","ecs.version":"1.6.0"}

I performed this test since I saw this issue in the production environment.

Looking for a solution.

Thanks,
Amol

RFC3164 timestamps are not allowed to include a year

It has been found that some network administrators like to archive
their syslog messages over long periods of time. It has been seen
that some original syslog messages contain a more explicit time stamp
in which a 2 character or 4 character year field immediately follows
the space terminating the TIMESTAMP. This is not consistent with the
original intent of the order and format of the fields. If
implementers wish to contain a more specific date and time stamp
within the transmitted message, it should be within the CONTENT
field. Implementers may wish to utilize the ISO 8601 [7] date and
time formats if they want to include more explicit date and time
information.

Is FTD here Firepower Threat Defense? you should be able to specify the timestamp format as RFC5424:

Beginning with version 6.3, Secure Firewall Threat Defense provides the option to enable timestamp as per RFC 5424 in eventing syslogs.

See: Cisco Secure Firewall Threat Defense Syslog Messages - About This Guide [Cisco Secure Firewall Management Center] - Cisco

Other options include:

  1. You could also look at using Elastic Agent with the Cisco Integration which would handle the message parsing for you once you set the timestamp format.

  2. If you dont want to change the timezone format you could switch from a Syslog input to a UDP and TCP input and perform the parsing with a beat processor as well.

Hi Strawgate,

Thanks for your reply.
I have two question in this.

  1. If format is not supported then how come few message are getting parsed?
  2. If format is not getting parse then what is the process for add format into filebeat?

Regards,
Amol

If you dont want to change the timezone format on the device itself (its configurable) you could switch from a Syslog input to a UDP and TCP input and perform the syslog parsing with a beat processor.

I'd have to see the messages that are parsing correctly to figure out why they might be parsing correctly.

Thanks. It is working.

1 Like