Hello,
im quite new to Elasticsearch /ELK-Stack and ran into a problem with monitoring my logfiles from a Cisco ASA 5520.
The problem seems to be the logfile format of my ASA and therefore they dont get parsed correctly.
My ASA is sending the logs in a format like this:
Mar 18 16:54:47 10.0.0.1 %ASA-2-106001: Inbound TCP connection denied from 185.172.148.132/443 to 10.0.0.10/4535 flags RST on interface OUTSIDE
Mar 18 16:55:14 10.0.0.1 %ASA-3-106014: Deny inbound icmp src OUTSIDE:195.14.215.17 dst INSIDE:10.0.0.10 (type 3, code 0)
From what i saw during my invetigations why logparsing doesnt work this seems to be the problem since it seems the parser expect the log formatet like this:
<xxx>Mar 18 16:54:47 10.0.0.1 %ASA-2-106001: Inbound TCP connection denied from 185.172.148.132/443 to 10.0.0.10/4535 flags RST on interface OUTSIDE
<xxx>Mar 18 16:55:14 10.0.0.1 %ASA-3-106014: Deny inbound icmp src OUTSIDE:195.14.215.17 dst INSIDE:10.0.0.10 (type 3, code 0)
were xxx is a 3 digit number
after trying to figure out how to get the right log format from the ASA i am now at a point were i ran out of ideas.
So any help / advice would be aprecciated