I am new to Elastic and have been experimenting with syslog from my Cisco ASA firewall to logstash to get an understanding of it. I've followed the various instructions on the Internet to achieve this and managed to get the vast majority of data coming in nicely. Unfortunately I've found that a few of the patterns pertaining to the Cisco-ASA in the firewall pattern file do not work, at least not against the version of the firewall I am running (9.6).
For example, I have a ASA-3-313008 log entry. This one exists in the pattern file, but my logs contain IPv6 protocols and do not work. in short, IPv6-ICMP does not match as a word (the hyphen is the problem) and for some reason the interface was not matching as a data type.
By changing the protocol to a DATA and the interface to a WORD this started working perfectly.
I have also identified several new patterns, relating to URL access monitoring and other new capabilities, which are absent from the existing pattern file.
So this leads to my two questions.
- Should I be contributing fixes like this to the repository? Ordinarily I would, but I don't have access the multiple versions of the ASA code to ensure my changes are backwards compatible.
- Is there a recommended way to override the patterns? I just modified the file directly, but I have noticed the ability to include a pattern file in the logstash conf file. Does a specifically referenced pattern file override the inbuilt patterns (when they have conflicting definitions)?