Centralized Syslog management for Cisco Switches

Hello everyone!

I set up an ELK-Stack which is already running, receiving some logs and also showing everything in kibana. But I have problems with the filtering and properly use of the data because everything is just in the "message" of the received data. Here a screenshot as explanation:


With this data I cant really create any diagramms or analysis.
I was trying to figure out the mapping thing but didnt had any succes yet.. Also I m not sure if I m on the right way with that..

Switch sends log to ELK-Stack IP -> rsyslog receives log over Port 514 -> logstash filters data through filebeat (config below) -> data visible in kibana like in screenshot above

Can anyone tell me how I can fix this problem? I want to separate the message block in syslog host (for example switch-412) and the log message from the switch.

Logstash Config:

input {
  beats {
    port => 5044
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["ELK-IP:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

What does the message field look like?

Hello Badger,

here some examples how the message part looks, when I m searching for "switch-":

This is what I use to parse those logs with logstash. It would be nice if an equivalent ISE fileset would be added to CISCO module in filebeat

filter {
  mutate {
    rename => { "host" => "host.ip" }
    add_field => { "host.name" => "%{host.ip}"}
  }
  grok {
    match => { "message" => [
         #<181>Dec 20 15:11:30 bbbb CISE_Passed_Authentications 0000003579 7 0 2019-12-20 15:11:30.539 +00:00 0098113147 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=79, Device IP Address=10.2.80.103, DestinationIPAddress=10.1.128.144, DestinationPort=1812, UserName=DOMAIN\\AAA, Protocol=Radius, RequestLatency=12, NetworkDeviceName=XXXX, User-Name=XXX, NAS-IP-Address=10.2.80.103, NAS-Port=50148, Service-Type=Framed, Framed-IP-Address=10.2.10.63, Framed-MTU=1500, State=37CPMSessionID=0A0250670000411C24734840\;33SessionID=bbbb/364024023/9139809\;, Called-Station-ID=B4-A8-B9-FA-FE-30, Calling-Station-ID=28-00-A8-08-CD-00, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/48, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A0250670000411C24734840, cisco-av-pair=method=dot1x, cisco-av-pair=vlan-id=10, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-1115-a80e-6753d45bf11c, IsThirdPartyDeviceFlow=false,
         "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:ise.log_type} %{NUMBER:ise.log_sequence} %{INT:ise.log_lines_split} %{INT:ise.log_line_sequence} %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})? %{ISO8601_TIMEZONE}? %{NUMBER:ise.log_number} %{NUMBER:ise.log_id} %{DATA:ise.log_severity} %{DATA:ise.log_id_description},%{GREEDYDATA:kvfields}",


         #<181>Dec 20 16:53:56 bbbb CISE_Passed_Authentications 0000003629 3 1  AcsSessionID=bbbb/364024023/9165172, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=VLAN_Thinclient, UseCase=Host Lookup, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=ThinClient, UserType=Host, CPMSessionID=0A0250690000229EBCD5C02B, EndPointMACAddress=D0-00-00-00-A2-0A, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown,
         "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:ise.log_type} %{NUMBER:ise.log_sequence} %{INT:ise.log_lines_split} %{INT:ise.log_line_sequence}  %{GREEDYDATA:kvfields}"
      ]
    }
    add_tag => [ "cisco_ise" ]
    tag_on_failure => [ ]
  }
  if "cisco_ise" in [tags] {
    kv {
      field_split => ", "
      value_split => "="
#      trim_key => "\s"
      source => "kvfields"
#     remove_tag => ["cisco_ise"]
    }
    mutate {
     remove_field => ["kvfields"]
    }
  } else {
    grok {
      match => { "message" => [
           #<189>116006: Dec  5 17:26:09.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/6, changed state to up
           #<189>128327: Dec 12 09:00:31.541: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi2/0/6: PD removed (DDDADSW03-2)
           "^<%{POSINT:syslog_pri}>%{INT}: %{SYSLOGTIMESTAMP:syslog.timestamp}: %%{CISCO_REASON:cisco.facility}-%{INT:cisco.severity_level}-%{CISCO_REASON:cisco.facility_mnemonic}: %{GREEDYDATA:message}",


           #<14>Dec  5 18:25:26 ddddcrs01 Webdav Event: download, Path: /some/path/27-Mar -2019.pdf, File/Folder: File, Size: 82.90 KB, User: DOMAIN\xxx, IP: 172.16.0.150
           #<14>Dec 12 12:02:00 ddddcrs01 Webdav Event: upload, Path: /some/path/27-Mar -2019.pdf, File/Folder: File, Size: 643.10 KB, User: DOMAIN\xxx, IP: 172.16.0.150
           "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:service}: %{WORD:action}, Path: (%{GREEDYDATA:path_src} -> %{GREEDYDATA:path_dst}|%{GREEDYDATA:path_dst}), File/Folder: %{WORD:path_type}(?:, Size: (NA|%{BASE10NUM:file_size} %{WORD:file_size_unit}))?(?:, User: (?:%{WORD:user.domain}\\)?%{USERNAME:user.name})?(?:, IP: %{IP:source.ip})?",


           #<14>Dec 12 10:01:03 ddddcrs01 Connection: User [DOMAIN\xxx] from [DDD0886(10.2.10.68)] via [CIFS(SMB2)] accessed shared folder [fff_share]
           "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{WORD:service}: User \[(%{IPORHOST:user.domain})?\\?%{DATA:user.name}\] from \[(%{IPORHOST:source.domain})?\\?\(%{IPORHOST:source.ip}\)\] via \[%{WORD:sharing.protocol_dialect}\(%{WORD:sharing.protocol}\)\] accessed shared folder \[%{DATA:sharing.target_folder}\]",

           #<12>Dec 20 15:38:04 ddddcrs01 Connection: User [DOMAIN\xxx] from [172.16.0.150] failed to log in via [WebDAV] due to authorization failure.
           "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:service}: User \[(?:%{IPORHOST:user.domain})\\?%{DATA:user.name}\] from \[(%{IPORHOST:source.domain})?\\?%{IPORHOST:source.ip}\] failed to log in via \[(%{WORD:sharing.protocol_dialect})?\\?%{WORD:sharing.protocol}\] due to authorization failure"
         ]
      }
    }
  }
  syslog_pri {
    use_labels => true
  }
}

Thanks for your answer!

This looks good and I wanted to instantly try it out. Sadly I realised that I dont even have the cisco module for filebeat neighter can I activate it. Here how it look on the server at /etc/filebeat/modules.d
elk_filebeat_modules

I tried to activate the module with the description in the link you send. How can I install the module if it is not there? Couldnt find any download link or description. All descriptions are for enabling it.

Thanks in advance!

The Cisco module is available in Filebeat since some version of ES 7.x (I don't know the exact version). I think you're beat version is quite outdated, right?
However this fileset (ISE) of Cisco Filebeat module is missing so I had to send logs via Syslog on Logstash (on some port) and then parse the Syslog lines directly.
If ES would ever publish a Filebeat module to parse Cisco ISE logs you could run a Filebeat that listen for Syslog inputs activating the Cisco module and properly configuring an ise section.
Unfortunately this in not present at the moment, you should use the Logstash filters I pasted above.

Here's the missing input part of my Logstash file:

input {
  tcp {
    port => 5000
  }
  udp {
    port => 5000
  }
}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.