Cisco ASA Patterns in Logstash 1.5.1

DavidSims · June 30, 2015, 7:57pm

I have yet to get logstash to parse Cisco ASA logs correctly. I have tried every tutorial a could find and I ALWAYS get _grokparsefailure. I stripped it all the way down and it seems to hate the patterns.

filter {
grok {
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}

# Extract fields from the each of the detailed message types
# The patterns provided below are included in core of LogStash 1.4.2.
grok {
	match => [
		"cisco_message", "%{CISCOFW106001}",
		"cisco_message", "%{CISCOFW106006_106007_106010}",
		"cisco_message", "%{CISCOFW106014}",
		"cisco_message", "%{CISCOFW106015}",
		"cisco_message", "%{CISCOFW106021}",
		"cisco_message", "%{CISCOFW106023}",
		"cisco_message", "%{CISCOFW106100}",
		"cisco_message", "%{CISCOFW110002}",
		"cisco_message", "%{CISCOFW302010}",
		"cisco_message", "%{CISCOFW302013_302014_302015_302016}",
		"cisco_message", "%{CISCOFW302020_302021}",
		"cisco_message", "%{CISCOFW305011}",
		"cisco_message", "%{CISCOFW313001_313004_313008}",
		"cisco_message", "%{CISCOFW313005}",
		"cisco_message", "%{CISCOFW402117}",
		"cisco_message", "%{CISCOFW402119}",
		"cisco_message", "%{CISCOFW419001}",
		"cisco_message", "%{CISCOFW419002}",
		"cisco_message", "%{CISCOFW500004}",
		"cisco_message", "%{CISCOFW602303_602304}",
		"cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
		"cisco_message", "%{CISCOFW713172}",
		"cisco_message", "%{CISCOFW733100}"
	]
}

}

Don_Click · October 14, 2015, 12:57pm

did you ever get this sorted out? I have been struggling with this for a few weeks myself.

all the examples we find are for previous versions, with half of the filters being deprecated.

etfeet · October 23, 2015, 5:20pm

This is what I'm using for asa parsing:

our asa logs like like:

2015-10-12T11:34:43-07:00 my-asa-ip %ASA-4-106023: Deny icmp src outside:x.x.x.x dst inside:x.x.x.x (type 8, code 0) by access-group "outside_access_in" [0xe7113be6, 0x0]

We receive the syslog's from syslog-ng and output to a log file on the system. We then have logstash monitor the file with a file input:

syslog-ng.conf:

options {
        flush_lines (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_dns (no);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
        ts_format(iso);
        stats(0);
};

source s_net_dev {
        udp(ip(0.0.0.0) port(2514) flags(no-hostname));
        tcp(ip(0.0.0.0) port(2514) flags(no-hostname));
};



destination d_net_dev { file("/var/log/network.log" owner("root") group("root") perm(0644)); };


log { source(s_net_dev); destination(d_net_dev); };

asa-filter.conf:

filter {
  if "fw-cisco" in [tags] {

    mutate { remove_field => [ "host" ] }    

    grok {
      patterns_dir => "/etc/logstash/patterns.d/"
      match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{IP:host} %%{CISCOTAG:cisco_tag}: %{GREEDYDATA:cisco_message}"]
    }

    mutate { remove_field => [ "message" ] }
    mutate { gsub => [ "cisco_message", '"', "" ] }

  }

    #match cisco message patterns    
    grok {
      patterns_dir => "/etc/logstash/patterns.d/"
      match => [
        "cisco_message", "%{CISCOFW106001}",
        "cisco_message", "%{CISCOFW106006_106007_106010}",
        "cisco_message", "%{CISCOFW106014}",
        "cisco_message", "%{CISCOFW106015}",
        "cisco_message", "%{CISCOFW106021}",
        "cisco_message", "%{CISCOFW106023}",
        "cisco_message", "%{CISCOFW106100}",
        "cisco_message", "%{CISCOFW110002}",
        "cisco_message", "%{CISCOFW302010}",
        "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
        "cisco_message", "%{CISCOFW302020_302021}",
        "cisco_message", "%{CISCOFW305011}",
        "cisco_message", "%{CISCOFW313001_313004_313008}",
        "cisco_message", "%{CISCOFW313005}",
        "cisco_message", "%{CISCOFW402117}",
        "cisco_message", "%{CISCOFW402119}",
        "cisco_message", "%{CISCOFW419001}",
        "cisco_message", "%{CISCOFW419002}",
        "cisco_message", "%{CISCOFW500004}",
        "cisco_message", "%{CISCOFW602303_602304}",
        "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
        "cisco_message", "%{CISCOFW713172}",
        "cisco_message", "%{CISCOFW733100}",
        "cisco_message", "Built local-host %{WORD}:%{IP}"
      ]
    }
...

grok patterns are here http://pastebin.com/1bx5s5Gp

renevdm · October 23, 2015, 5:37pm

I've been struggling with this for a while also. At last I made work, and wrote an article to share it with the world:

http://ict.renevdmark.nl/2015/10/22/cisco-asa-alerts-and-kibana/

Hope it helps you!

DavidSims · October 23, 2015, 8:55pm

It took 4 months but that was the answer!! I'm at the point where I don't even care what's different - I'm just thrilled it's working.

navox19 · April 15, 2016, 10:22pm

can you share your config input and filter and output @DavidSims plz i'm lost here need help

DavidSims · April 18, 2016, 7:03pm

I followed http://ict.renevdmark.nl/2015/10/22/cisco-asa-alerts-and-kibana/ from above. There is nothing special about the input - but I start my filter with -

filter {
if [type] == "syslog" {
if "%ASA-" in [message] {
grok { copy and pasted the grok section}

navox19 · April 18, 2016, 7:21pm

do you use one single config file ?
because i have 3 config files
30-elasticsearch-output.conf

output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

10-syslog-filter.conf

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
need litle help

DavidSims · April 18, 2016, 7:35pm

No, I have multiple. These three are related to the ASA logs.

01-inputs.conf
02-syslog.conf
99-outputs.conf

There is nothing special in inputs or outputs.

David

KabeloShongwe · June 13, 2016, 11:25am

@DavidSims, truth is that you will get grok_failures. There are thousands logs from cisco-asa. just log the grok_failures somewhere were you can lookup for the important ones and add them to your patterns file using "patterns_dir".