Cisco asa - grok failure probably

trustbyte · August 3, 2018, 11:25am

Hey guys!

I am having a hard time with the logstash and a syslog file which gets info from multiple cisco routers/firewalls.

syslog file is like this:

Aug 3 00:00:03 host233.domain.com %ASA-6-305011: Built dynamic TCP translation from inside:101.222.210.42/49592 to outside:193.122.118.20/49592
Aug 3 00:00:03 host200.domain.com %ASA-6-106100: access-list adout permitted tcp tdd-rd-db/120.130.62.102(55190) -> ad/190.131.37.32(88) hit-cnt 1 first hit [0x622c7137, 0x2b314401]
Aug 3 00:00:03 host201.domain.com %ASA-6-302013: Built inbound TCP connection 994087149 for rrm-pr-db:101.16.6.135/55365 (10.160.6.35/55365) to ad:10.11.13.3/88 (11.12.12.3/88)

#logstash is like this
input {
beats {
port => 5044
type => "cisco-fw"
}
}

filter {
grok {
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}

    grok {
            match => [
                    "cisco_message", "%{CISCOFW106001}",
                    "cisco_message", "%{CISCOFW106006_106007_106010}",
                    "cisco_message", "%{CISCOFW106014}",
                    "cisco_message", "%{CISCOFW106015}",
                    "cisco_message", "%{CISCOFW106021}",
                    "cisco_message", "%{CISCOFW106023}",
                    "cisco_message", "%{CISCOFW106100}",
                    "cisco_message", "%{CISCOFW110002}",
                    "cisco_message", "%{CISCOFW302010}",
                    "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
                    "cisco_message", "%{CISCOFW302020_302021}",
                    "cisco_message", "%{CISCOFW305011}",
                    "cisco_message", "%{CISCOFW313001_313004_313008}",
                    "cisco_message", "%{CISCOFW313005}",
                    "cisco_message", "%{CISCOFW402117}",
                    "cisco_message", "%{CISCOFW402119}",
                    "cisco_message", "%{CISCOFW419001}",
                    "cisco_message", "%{CISCOFW419002}",
                    "cisco_message", "%{CISCOFW500004}",
                    "cisco_message", "%{CISCOFW602303_602304}",
                    "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
                    "cisco_message", "%{CISCOFW713172}",
                    "cisco_message", "%{CISCOFW733100}"
            ]
    }

the problem is that Kibana is storing the message like this and not with the fields from the message itself (ip, dst, etc.)

@timestamp		August 3rd 2018, 12:54:59.944
t @version		1
t _id		p7xt_2QBG-A9L2YKJP45
t _index		logstash-2018.08.03
# _score		-
t _type		doc
t beat.hostname		server111
t beat.name		server111
t beat.version		6.3.2
t fields.env		prod
t host.name		server111
t input.type		log
t message		Aug 3 03:39:48 host220.domain.com %ASA-6-106100: access-list dst-out permitted udp mggmt/12.8.19.1(39209) -> dis-c-link/19.16.29.129(161) hit-cnt 1 first hit [0x1a11c48c, 0x00000000]
# offset		7,910,884,853
t prospector.type		log
t source		/data/kibana/log/syslog
t tags		beats_input_codec_plain_applied, _grokparsefailure, _geoip_lookup_failure
t type		cisco-fw

any ideas?

thank you!

NerdSec · August 3, 2018, 11:30am

Your grok is not able to parse the data. Is this happening for all ASA logs or just a few?

trustbyte · August 3, 2018, 11:32am

I only have 1 log file, that syslog that gets dump from all over the Cisco devices. no other logs.

magnusbaeck · August 3, 2018, 11:32am

See the definition of CISCO_TAGGED_SYSLOG:

github.com

logstash-plugins/logstash-patterns-core/blob/v4.1.2/patterns/firewalls#L5


# NetScreen firewall logs
NETSCREENSESSIONLOG %{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}


#== Cisco ASA ==
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound
CISCO_INTERVAL first hit|%{INT}-second interval
CISCO_XLATE_TYPE static|dynamic
# ASA-1-104001
CISCOFW104001 \((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}

Your logfile doesn't have a priority field at the beginning of each line so that pattern won't work in your case,

trustbyte · August 3, 2018, 11:36am

Good to know, any tips how to fix this issue?

the thing is I am not quite getting it how to get the grokdebug thing inside the logstash config file..

NerdSec · August 3, 2018, 11:42am

Could you try with the following config?

%{CISCOTIMESTAMP:timestamp} %{SYSLOGHOST:sysloghost} %%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message}

trustbyte · August 3, 2018, 11:47am

i tried that in the grokdebug and it matches! you are the grok master wizard yooou NerdSec thank you so much!

i will edit this line and it should work.

match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
to this
match => ["message", "%{CISCOTIMESTAMP:timestamp} %{SYSLOGHOST:sysloghost} %%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message}"]

i will get back with the result.
will delete the the elasticsearch data first..

trustbyte · August 6, 2018, 8:51am

okey, the result is better now I will try to figure out some nice kibana dashboards.

i should be a happy camper and forget about it but maybe some details can help me and others going further.
"CISCOTIMESTAMP" or "GREEDYDATA" is that hardcoded in Logstash itself?
the documentation on this is quite weak : Grok filter plugin | Logstash Reference [8.11] | Elastic, how do you guys build your grok queries?

thanks for your support guys!

NerdSec · August 6, 2018, 9:33am

Hi,

Refer to this link. It has all the patterns shipped with logstash. This is also present in the documentation for grok.

https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

I usually use the Grok debugger to build my patterns. But I usually prefer something like dissect, kv, or similar filters. Here is a nice post about grok and dissect.

system · September 3, 2018, 9:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.