LOGSTASH CONF
input {
file {
type => "CISCO_ASA_FIREWALL"
exclude => ".gz"
path => "/home/lasse/Skrivebord/3asa5525/messages-2015-10-30"
# for live data it is better to start data at "end". (fx streaming)
start_position => "beginning"
}
}
filter {
if [type] == "CISCO_ASA_FIREWALL" {
grok {
patterns_dir => "/home/lasse/Skrivebord/patterns/CISCO_ASA_PATTERN.txt"
match => ["message", "%{CISCO_TAGGED} %{GREEDYDATA:cisco_message}"]
}
syslog_pri { #what is this, and why do I need it?
}
date {
match => ["timestamp",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd yyyy HH:mm:ss",
"MMMM d yyyy HH:mm:ss"]
target => "timestamp"
}
if "_grokparsefailure" not in [tags] {
mutate {
rename => ["cisco_message" , "message"]
remove_field => ["timestamp"]
}
}
grok {
patterns_dir => "/home/lasse/Skrivebord/patterns/CISCO_ASA_PATTERN.txt"
match => [
"message" , "%{CISCOASA106021}",
"message" , "%{CISCOASA106001}",
"message" , "%{CISCOASA106006_106007_106010}",
"message" , "%{CISCOASA106017}",
"message" , "%{CISCOASA106020}",
"message" , "%{CISCOASA106014}",
"message" , "%{CISCOASA305006}",
"message" , "%{CISCOASA313001_313004_313008}",
"message" , "%{CISCOASA710003_1}",
"message" , "%{CISCOASA710003}",
"message" , "%{CISCOASA746005}",
"message" , "%{CISCOASA746006}",
"message" , "%{CISCOASA106023}",
"message" , "%{CISCOASA313004}",
"message" , "%{CISCOASA313005}",
"message" , "%{CISCOASA313009}",
"message" , "%{CISCOASA338004_338008}",
"message" , "%{CISCOASA410001}",
"message" , "%{CISCOASA400028}",
"message" , "%{CISCOASA400037}",
"message" , "%{CISCOASA402117}",
"message" , "%{CISCOASA402119}",
"message" , "%{CISCOASA405104}",
"message" , "%{CISCOASA419001}",
"message" , "%{CISCOASA419002}",
"message" , "%{CISCOASA500004}",
"message" , "%{CISCOASA507003}",
"message" , "%{CISCOASA733100}",
"message" , "%{CISCOASA752010}",
"message" , "%{CISCOASA752016}",
"message" , "%{CISCOASA106100}",
"message" , "%{CISCOASA106101}",
"message" , "%{CISCOASA111007}",
"message" , "%{CISCOASA111008}",
"message" , "%{CISCOASA111010}",
"message" , "%{CISCOASA305013}",
"message" , "%{CISCOASA321001}",
"message" , "%{CISCOASA502103}",
"message" , "%{CISCOASA713041}",
"message" , "%{CISCOASA713049}",
"message" , "%{CISCOASA713050}",
"message" , "%{CISCOASA713073}",
"message" , "%{CISCOASA713074}",
"message" , "%{CISCOASA713075}",
"message" , "%{CISCOASA713076}",
"message" , "%{CISCOASA713119}",
"message" , "%{CISCOASA713120}",
"message" , "%{CISCOASA713130}",
"message" , "%{CISCOASA713184}",
"message" , "%{CISCOASA713228}",
"message" , "%{CISCOASA713902}",
"message" , "%{CISCOASA713904}",
"message" , "%{CISCOASA713257}",
"message" , "%{CISCOASA713904}",
"message" , "%{CISCOASA725001}",
"message" , "%{CISCOASA725002}",
"message" , "%{CISCOASA725003}",
"message" , "%{CISCOASA752004}",
"message" , "%{CISCOASA725006}",
"message" , "%{CISCOASA725007}",
"message" , "%{CISCOASA110002}",
"message" , "%{CISCOASA110003}",
"message" , "%{CISCOASA106015}",
"message" , "%{CISCOASA106016}",
"message" , "%{CISCOASA113004}",
"message" , "%{CISCOASA113005}",
"message" , "%{CISCOASA113008}",
"message" , "%{CISCOASA113009}",
"message" , "%{CISCOASA302010}",
"message" , "%{CISCOASA302013_302014_302015_302016}",
"message" , "%{CISCOASA302020_302021}",
"message" , "%{CISCOASA303002}",
"message" , "%{CISCOASA305011}",
"message" , "%{CISCOASA607001}",
"message" , "%{CISCOASA602101}",
"message" , "%{CISCOASA602303_602304}",
"message" , "%{CISCOASA605005}",
"message" , "%{CISCOASA607001}",
"message" , "%{CISCOASA611101}",
"message" , "%{CISCOASA611103}",
"message" , "%{CISCOASA622001}",
"message" , "%{CISCOASA713172}",
"message" , "%{CISCOASA713905_1}",
"message" , "%{CISCOASA713905}",
"message" , "%{CISCOASA734001}",
"message" , "%{CISCOASA737006}",
"message" , "%{CISCOASA737029}",
"message" , "%{CISCOASA737031}",
"message" , "%{CISCOASA111009}",
"message" , "%{CISCOASA609001_609002}",
"message" , "%{CISCOASA710001_710002_710003_710005_710006}",
"message" , "%{CISCOASA713236}",
"message" , "%{CISCOASA713906}",
"message" , "%{CISCOASA715036_715046_715047_715075}"
]
}
}
}
output {
stdout { codec => plain }
file {
path => "/home/lasse/Skrivebord/ASA_archive_1/%{type}/%{YYYY-MM}/%{type}-%{+YYYY-MM-dd}.log"
}
elasticsearch { hosts => ["http://192.168.128.46:9200"]
document_type => "text"
index => "clientone"
user => elastic
password => Infowise
}
}