Cisco ASA and logstash problem

Elastic Stack Logstash
1

Hello!

I need to process logs from ASA, let's says this:

Oct 2 09:22:41 192.168.42.129 %ASA-3-202010: NAT pool exhausted. Unable to create UDP connection from inside:192.168.222.24/47423 to outside:195.210.189.106/123

As I see in grok debugger this is OK:
^%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:syslog_message}

But this config gives me _grokparsefailure
input {
udp {
port => 5515
type => "asa-mts"
}
}

filter {
if [type] == "asa-mts" {
# Split the syslog part and Cisco tag out of the message
grok {
match => { "message" => "^%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:syslog_message}" }
}

Gives me an _grokparsefailure

{
"_index": "logstash-2018.10.02",
"_type": "doc",
"_id": "y8DXNGYBQAffyVxZr7Xt",
"_version": 1,
"_score": null,
"_source": {
"type": "asa-mts",
"@timestamp": "2018-10-02T12:54:02.359Z",
"host": "192.168.42.129",
"syslog_severity_code": 5,
"tags": [
"_grokparsefailure"
],
"syslog_facility_code": 1,
"@version": "1",
"syslog_severity": "notice",
"message": "<163>%ASA-3-202010: NAT pool exhausted. Unable to create TCP connection from inside:192.168.49.106/52608 to outside:213.180.193.210/443\n",
"syslog_facility": "user-level"
},
"fields": {
"@timestamp": [
"2018-10-02T12:54:02.359Z"
]
},
"sort": [
1538484842359
]
}

Could you tell me what is wrong here?

Thank you!

2

Use the following on your grok:

^<%{POSINT:syslog_pri}>%%{CISCOTAG:ciscotag}: %{GREEDYDATA:event_type}. Unable to create TCP connection from inside:%{IP:src_ip}/%{INT:src_port} to outside:%{IP:dst_ip}/%{INT:dst_port}$

If you need to test your grok statement. Please use the following site:

https://grokdebug.herokuapp.com/

or use the Kibana grok plugin

3

bardie, It is OK on https://grokdebug.herokuapp.com/, I mean my expression,
it works in Kibana's Grok Debugger.
But yours does not.

Will try in logstash...

No, still have

"tags": [
"_grokparsefailure"
],

Can't understand what is wrong here...

4

Try this:

<%{POSINT:syslog_pri}>%%{CISCOTAG:ciscotag}: %{GREEDYDATA:event_type}. Unable to create TCP connection from inside:%{IP:src_ip}/%{INT:src_port} to outside:%{IP:dst_ip}/%{INT:dst_port}

If it fails please paste the log you are trying to parse

5

Thank you!

It works, looks like this was copy&paste problem :frowning:

Anyway, I can't understand why it works in debugger and does not work in logstash.

Yet another example, firepower module:

<46>Oct 5 05:05:33 firepower-mts SFIMS: Protocol: TCP, SrcIP: 192.168.42.131, OriginalClientIP: 127.0.0.1, DstIP: 148.251.159.22, SrcPort: 50084, DstPort: 80, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, DE: Primary Detection Engine (52b0a118-69b8-11e8-b8c9-b6b1432be13e), Policy: Default Allow All Traffic, ConnectType: End, AccessControlRuleName: url filtering, AccessControlRuleAction: Block with reset, Prefilter Policy: Unknown, UserName: No Authentication Required, UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0, Client: Firefox, ClientVersion: 62.0, ApplicationProtocol: HTTP, WebApplication: Squid, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 694, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, ReferencedHost: rbnt.org, URLCategory: Malware Sites, URLReputation: High risk, URL: http://rbnt.org/

%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:blockedReason}: Protocol: %{WORD:protocol}, SrcIP: %{IP:srcIP}, OriginalClientIP: (?[^,]), DstIP: %{IP:dstIP}, SrcPort: %{NUMBER:srcPort}, DstPort: %{NUMBER:dstPort}, TCPFlags: %{WORD:tcpFlags}, IngressInterface: %{WORD:ingressINT}, EgressInterface: %{WORD:egressINT}, IngressZone: %{WORD:ingressZone}, EgressZone: %{WORD:egressZone}, DE: (?[^,]), Policy: (?[^,]), ConnectType: %{WORD:ConnectType}, AccessControlRuleName: (?[^,]), AccessControlRuleAction: (?[^,]), Prefilter Policy: %{WORD:PrefilterPolicy}, UserName: (?[^,]), UserAgent: (?[^,]), Client: (?[^,]), ClientVersion: (?[^,]), ApplicationProtocol: %{WORD:appProtocol}, WebApplication: %{WORD:WebApplication}, InitiatorPackets: %{NUMBER:initPackets}, ResponderPackets: %{NUMBER:respPackets}, InitiatorBytes: %{NUMBER:initBytes}, ResponderBytes: %{NUMBER:respondBytes}, NAPPolicy: (?[^,]), DNSResponseType: (?[^,]), Sinkhole: %{WORD:sinkhole}, ReferencedHost: (?[^,]), URLCategory: (?[^,]), URLReputation: (?[^,]), URL: %{URI:URL}

I get in Kibana Grok Debugger:

{
"Policy": "Default Allow All Traffic",
"DE": "Primary Detection Engine (52b0a118-69b8-11e8-b8c9-b6b1432be13e)",
"srcIP": "192.168.42.131",
"PrefilterPolicy": "Unknown",
"NAPPolicy": "Balanced Security and Connectivity",
"AccessControlRuleAction": "Block with reset",
"respondBytes": "74",
"appProtocol": "HTTP",
"srcPort": "50084",
"respPackets": "1",
"ClientVersion": "62.0",
"sinkhole": "Unknown",
"URLCategory": "Malware Sites",
"URL": "http://rbnt.org/",
"ConnectType": "End",
"protocol": "TCP",
"dstPort": "80",
"host": "firepower-mts",
"UserAgent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0",
"ReferencedHost": "rbnt.org",
"dstIP": "148.251.159.22",
"tcpFlags": "0x0",
"egressZone": "outside",
"Client": "Firefox",
"WebApplication": "Squid",
"syslog_pri": "46",
"timestamp": "Oct 5 05:05:33",
"UserName": "No Authentication Required",
"blockedReason": "SFIMS",
"URLReputation": "High risk",
"initPackets": "3",
"DNSResponseType": "No Error",
"ingressINT": "inside",
"initBytes": "694",
"egressINT": "outside",
"ingressZone": "inside",
"AccessControlRuleName": "url filtering",
"OriginalClientIP": "127.0.0.1"
}

But "tags": [
"_grokparsefailure"
],
in logstash.

Could you, please, tell me how can I find error if debugger shows everything is fine?

Thank you!

6

For Grok, the only way to debug is by testing the grok statement on the grok debugger app or plugin. Other than that just make sure your filter format has no errors

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.