Cisco ASA grok parse failure

VamPikmin · June 18, 2019, 1:20am

When I test this pattern on http://grokdebug.herokuapp.com/ it works however when I run it through logstash I get a _grokparsefailure

<166>Jun 17 2019 07:13:33: %ASA-6-305011: Built dynamic TCP translation from any:192.168.192.35/60475 to outside131:10.131.16.4/60475

%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}: %ASA-6-305011: %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port}) to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}

{
           "message" => "<166>Jun 17 2019 07:13:33: %ASA-6-305011: Built dynamic TCP translation from any:192.168.192.35/60475 to outside131:10.131.16.4/60475",
          "@version" => "1",
         "timestamp" => "Jun 17 2019 07:13:33",
              "host" => "b7-mint",
        "@timestamp" => 2019-06-16T22:42:06.684Z,
            "client" => "10.131.16.4",
        "syslog_pri" => "166",
              "tags" => [
            [0] "_grokparsefailure"
        ]
    }

Badger · June 18, 2019, 2:04pm

Works fine in 7.1.1

       "src_interface" => "any",
          "xlate_type" => "dynamic",
"src_xlated_interface" => "outside131",
              "src_ip" => "192.168.192.35",
              "action" => "Built",
            "src_port" => "60475",
            "protocol" => "TCP",
       "src_xlated_ip" => "10.131.16.4",
           "timestamp" => "Jun 17 2019 07:13:33",
             "message" => "<166>Jun 17 2019 07:13:33: %ASA-6-305011: Built dynamic TCP translation from any:192.168.192.35/60475 to outside131:10.131.16.4/60475",
          "syslog_pri" => "166"

VamPikmin · June 18, 2019, 9:32pm

Hi Badger,
That's what I'm using too. Do you mind sharing your logstash config?

Badger · June 18, 2019, 10:25pm

input { generator { count => 1 lines => [ '<166>Jun 17 2019 07:13:33: %ASA-6-305011: Built dynamic TCP translation from any:192.168.192.35/60475 to outside131:10.131.16.4/60475' ] } }

filter {
    grok { match => { "message" => "%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}: %ASA-6-305011: %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port}) to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}" } }
}
output { stdout { codec => rubydebug { metadata => false } } }

VamPikmin · June 19, 2019, 12:48am

Thanks Badger,

I am trying to use the patterns file

github.com

logstash-plugins/logstash-patterns-core/blob/master/patterns/firewalls

# NetScreen firewall logs
NETSCREENSESSIONLOG %{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}

#== Cisco ASA ==
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound
CISCO_INTERVAL first hit|%{INT}-second interval
CISCO_XLATE_TYPE static|dynamic
# ASA-1-104001
CISCOFW104001 \((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}
# ASA-1-104002
CISCOFW104002 \((?:Primary|Secondary)\) Switching to STANDBY - %{GREEDYDATA:switch_reason}
# ASA-1-104003
CISCOFW104003 \((?:Primary|Secondary)\) Switching to FAILED\.
# ASA-1-104004

This file has been truncated. show original

but having a hard time getting it to play

Should I start with a catch all message of %{GREEDYDATA} or
^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}

Do you have an example logstash config that incorporates this setup?

I will keep trying to work this out

Badger · June 19, 2019, 1:25pm

I do not.

VamPikmin · June 20, 2019, 2:14am

Thank you anyway. I am making some progress slowly

system · July 18, 2019, 2:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.