Centralized Syslog management for Cisco Switches

Elastic Stack Logstash
1

Hello everyone!

I set up an ELK-Stack which is already running, receiving some logs and also showing everything in kibana. But I have problems with the filtering and properly use of the data because everything is just in the "message" of the received data. Here a screenshot as explanation:

elk_switch_data
elk_switch_data2056×438 60.5 KB

With this data I cant really create any diagramms or analysis.
I was trying to figure out the mapping thing but didnt had any succes yet.. Also I m not sure if I m on the right way with that..

Switch sends log to ELK-Stack IP -> rsyslog receives log over Port 514 -> logstash filters data through filebeat (config below) -> data visible in kibana like in screenshot above

Can anyone tell me how I can fix this problem? I want to separate the message block in syslog host (for example switch-412) and the log message from the switch.

Logstash Config:

input {
  beats {
    port => 5044
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["ELK-IP:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}
2

What does the message field look like?

3

Hello Badger,

here some examples how the message part looks, when I m searching for "switch-":

switch_message_example
switch_message_example1463×192 32.8 KB

4

This is what I use to parse those logs with logstash. It would be nice if an equivalent ISE fileset would be added to CISCO module in filebeat

filter {
  mutate {
    rename => { "host" => "host.ip" }
    add_field => { "host.name" => "%{host.ip}"}
  }
  grok {
    match => { "message" => [
         #<181>Dec 20 15:11:30 bbbb CISE_Passed_Authentications 0000003579 7 0 2019-12-20 15:11:30.539 +00:00 0098113147 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=79, Device IP Address=10.2.80.103, DestinationIPAddress=10.1.128.144, DestinationPort=1812, UserName=DOMAIN\\AAA, Protocol=Radius, RequestLatency=12, NetworkDeviceName=XXXX, User-Name=XXX, NAS-IP-Address=10.2.80.103, NAS-Port=50148, Service-Type=Framed, Framed-IP-Address=10.2.10.63, Framed-MTU=1500, State=37CPMSessionID=0A0250670000411C24734840\;33SessionID=bbbb/364024023/9139809\;, Called-Station-ID=B4-A8-B9-FA-FE-30, Calling-Station-ID=28-00-A8-08-CD-00, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/48, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A0250670000411C24734840, cisco-av-pair=method=dot1x, cisco-av-pair=vlan-id=10, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-1115-a80e-6753d45bf11c, IsThirdPartyDeviceFlow=false,
         "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:ise.log_type} %{NUMBER:ise.log_sequence} %{INT:ise.log_lines_split} %{INT:ise.log_line_sequence} %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})? %{ISO8601_TIMEZONE}? %{NUMBER:ise.log_number} %{NUMBER:ise.log_id} %{DATA:ise.log_severity} %{DATA:ise.log_id_description},%{GREEDYDATA:kvfields}",


         #<181>Dec 20 16:53:56 bbbb CISE_Passed_Authentications 0000003629 3 1  AcsSessionID=bbbb/364024023/9165172, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=VLAN_Thinclient, UseCase=Host Lookup, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=ThinClient, UserType=Host, CPMSessionID=0A0250690000229EBCD5C02B, EndPointMACAddress=D0-00-00-00-A2-0A, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown,
         "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:ise.log_type} %{NUMBER:ise.log_sequence} %{INT:ise.log_lines_split} %{INT:ise.log_line_sequence}  %{GREEDYDATA:kvfields}"
      ]
    }
    add_tag => [ "cisco_ise" ]
    tag_on_failure => [ ]
  }
  if "cisco_ise" in [tags] {
    kv {
      field_split => ", "
      value_split => "="
#      trim_key => "\s"
      source => "kvfields"
#     remove_tag => ["cisco_ise"]
    }
    mutate {
     remove_field => ["kvfields"]
    }
  } else {
    grok {
      match => { "message" => [
           #<189>116006: Dec  5 17:26:09.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/6, changed state to up
           #<189>128327: Dec 12 09:00:31.541: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi2/0/6: PD removed (DDDADSW03-2)
           "^<%{POSINT:syslog_pri}>%{INT}: %{SYSLOGTIMESTAMP:syslog.timestamp}: %%{CISCO_REASON:cisco.facility}-%{INT:cisco.severity_level}-%{CISCO_REASON:cisco.facility_mnemonic}: %{GREEDYDATA:message}",


           #<14>Dec  5 18:25:26 ddddcrs01 Webdav Event: download, Path: /some/path/27-Mar -2019.pdf, File/Folder: File, Size: 82.90 KB, User: DOMAIN\xxx, IP: 172.16.0.150
           #<14>Dec 12 12:02:00 ddddcrs01 Webdav Event: upload, Path: /some/path/27-Mar -2019.pdf, File/Folder: File, Size: 643.10 KB, User: DOMAIN\xxx, IP: 172.16.0.150
           "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:service}: %{WORD:action}, Path: (%{GREEDYDATA:path_src} -> %{GREEDYDATA:path_dst}|%{GREEDYDATA:path_dst}), File/Folder: %{WORD:path_type}(?:, Size: (NA|%{BASE10NUM:file_size} %{WORD:file_size_unit}))?(?:, User: (?:%{WORD:user.domain}\\)?%{USERNAME:user.name})?(?:, IP: %{IP:source.ip})?",


           #<14>Dec 12 10:01:03 ddddcrs01 Connection: User [DOMAIN\xxx] from [DDD0886(10.2.10.68)] via [CIFS(SMB2)] accessed shared folder [fff_share]
           "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{WORD:service}: User \[(%{IPORHOST:user.domain})?\\?%{DATA:user.name}\] from \[(%{IPORHOST:source.domain})?\\?\(%{IPORHOST:source.ip}\)\] via \[%{WORD:sharing.protocol_dialect}\(%{WORD:sharing.protocol}\)\] accessed shared folder \[%{DATA:sharing.target_folder}\]",

           #<12>Dec 20 15:38:04 ddddcrs01 Connection: User [DOMAIN\xxx] from [172.16.0.150] failed to log in via [WebDAV] due to authorization failure.
           "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{SYSLOGHOST:logsource} %{DATA:service}: User \[(?:%{IPORHOST:user.domain})\\?%{DATA:user.name}\] from \[(%{IPORHOST:source.domain})?\\?%{IPORHOST:source.ip}\] failed to log in via \[(%{WORD:sharing.protocol_dialect})?\\?%{WORD:sharing.protocol}\] due to authorization failure"
         ]
      }
    }
  }
  syslog_pri {
    use_labels => true
  }
}
5

Thanks for your answer!

This looks good and I wanted to instantly try it out. Sadly I realised that I dont even have the cisco module for filebeat neighter can I activate it. Here how it look on the server at /etc/filebeat/modules.d
elk_filebeat_modules

I tried to activate the module with the description in the link you send. How can I install the module if it is not there? Couldnt find any download link or description. All descriptions are for enabling it.

Thanks in advance!

6

The Cisco module is available in Filebeat since some version of ES 7.x (I don't know the exact version). I think you're beat version is quite outdated, right?
However this fileset (ISE) of Cisco Filebeat module is missing so I had to send logs via Syslog on Logstash (on some port) and then parse the Syslog lines directly.
If ES would ever publish a Filebeat module to parse Cisco ISE logs you could run a Filebeat that listen for Syslog inputs activating the Cisco module and properly configuring an ise section.
Unfortunately this in not present at the moment, you should use the Logstash filters I pasted above.

Here's the missing input part of my Logstash file:

input {
  tcp {
    port => 5000
  }
  udp {
    port => 5000
  }
}
1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.