This should be more obvious but I've spent hours searching and it's not. I just want to understand the best way(s) to get ASA logs to my internal logstash server and on to my AWS S3 output bucket.
Ingesting Cisco ASA firewall logs. I want to know the pros and cons of the two ways to ingest them. Please let me know if any of this is wrong, suggestions?
Method 1) Logstash listener with grok statements, ala Cisco Log Processing.
Pros: Uses the cisco grok patterns that ship with logstash
Question: Does this then mean the log is output in ECS format?
Cons: None of the nice Filebeat benefits like throttling. If it doesn’t output in ECS, that is a big con.
Cons: The built in grok patterns are not EVERY Cisco message ID. If a log comes in on a different ID not in the list, it is dropped.
Method 2) Filebeat with Cisco Module, output to TCP port that logstash listens to.
Pros: Filebeat benefits (rate throttling, etc). Outputs in ECS. Covers ALL cisco logs.
Cons: An extra config to manage.