Cisco ASA syslog parsing

Mohammed_Imran · March 29, 2019, 4:21am

I new to ELK, I am trying to parse cisco ASA syslogs. I am using default patterns of Cisco logs from this plugin from here

github.com

logstash-plugins/logstash-patterns-core/blob/master/patterns/firewalls

# NetScreen firewall logs
NETSCREENSESSIONLOG %{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}

#== Cisco ASA ==
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound
CISCO_INTERVAL first hit|%{INT}-second interval
CISCO_XLATE_TYPE static|dynamic
# ASA-1-104001
CISCOFW104001 \((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}
# ASA-1-104002
CISCOFW104002 \((?:Primary|Secondary)\) Switching to STANDBY - %{GREEDYDATA:switch_reason}
# ASA-1-104003
CISCOFW104003 \((?:Primary|Secondary)\) Switching to FAILED\.
# ASA-1-104004

This file has been truncated. show original

I also see proper output in logstash

{
"src_interface" => "outside",
"src_port" => "47148",
"@timestamp" => 2019-03-29T04:00:34.368Z,
"protocol" => "UDP",
"type" => "syslog",
"@version" => "1",
"host" => "60.1.1.1",
"reason" => "Failed to locate egress interface",
"dst_ip" => "202.12.27.33",
"dst_port" => "53",
"message" => "<166>Mar 29 2019 15:00:33 ciscoasa : %ASA-6-110002: Failed to locate egress interface for UDP from outside:50.1.1.2/47148 to 202.12.27.33/53\n",
"src_ip" => "50.1.1.2"
}

But I keep getting this error

[WARN ] 2019-03-29 15:01:13.757 [[main]>worker0] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-asalogs-2019.03.29", :_type=>"doc", :routing=>nil}, #LogStash::Event:0x2a023fa3], :response=>{"index"=>{"_index"=>"logstash-asalogs-2019.03.29", "_type"=>"doc", "_id"=>"Zhybx2kB4sJ2xTwf2iYM", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Rejecting mapping update to [logstash-asalogs-2019.03.29] as the final mapping would have more than 1 type: [cisco-fw, doc]"}}}}

I know the reason of this error message, The type is removed from 6.0 and I am using 6.6. But I am not sure how to solve this issue.

Here is my logstash config

input {
udp {
port => 1514
type => syslog
}
}

filter {
date {
match => ["timestamp",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss"
]
timezone => "America/New_York"
}
if "_grokparsefailure" not in [tags] {
mutate {
rename => ["cisco_message", "message"]
remove_field => ["timestamp"]
}
}

syslog_pri { }

grok {
  match => [
    "message", "%{CISCOFW106001}",
    "message", "%{CISCOFW106006_106007_106010}",
    "message", "%{CISCOFW106014}",
    "message", "%{CISCOFW106015}",
    "message", "%{CISCOFW106021}",
    "message", "%{CISCOFW106023}",
    "message", "%{CISCOFW106100}",
    "message", "%{CISCOFW110002}",
    "message", "%{CISCOFW302010}",
    "message", "%{CISCOFW302013_302014_302015_302016}",
    "message", "%{CISCOFW302020_302021}",
    "message", "%{CISCOFW305011}",
    "message", "%{CISCOFW313001_313004_313008}",
    "message", "%{CISCOFW313005}",
    "message", "%{CISCOFW402117}",
    "message", "%{CISCOFW402119}",
    "message", "%{CISCOFW419001}",
    "message", "%{CISCOFW419002}",
    "message", "%{CISCOFW500004}",
    "message", "%{CISCOFW602303_602304}",
    "message", "%{CISCOFW710001_710002_710003_710005_710006}",
    "message", "%{CISCOFW713172}",
    "message", "%{CISCOFW733100}"
  ]
}

}

output {

stdout {
codec => rubydebug
}

elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-asalogs-%{+YYYY.MM.dd}"
}
}

Appreciate any help on this issue.

spinscale · April 1, 2019, 7:46am

The log output contains a small clue. It seems you are trying to create a second type in an index. It seems there is already a type cisco-fw and the above configuration uses doc as the default type. You can try to add document_type => cisco-fw in the elasticsearch output.

For more information, see Elasticsearch output plugin | Logstash Reference [6.6] | Elastic (please take the time to read, as this is important for future upgrades)

Topic		Replies	Views
Cisco Log Processing Logstash	23	20267	May 1, 2017
Logstash CISCO ASA logs not parsing Logstash	5	1719	September 6, 2018
ASA Grok Failure ASA-4-113019 Logstash	2	515	June 8, 2020
Parsing syslogs from different Cisco devices to Logstash Logstash	3	2415	March 13, 2017
Logstash 2.0.0 and Cisco ASA syslog Logstash	5	4463	July 6, 2017

Cisco ASA syslog parsing

Related topics