Elastic common schema for Cisco ASA

Elie_Sbat · May 26, 2022, 3:41pm

Hello Gents,

I am using ELK stack v8 and I am integrating Cisco ASA syslog directly to logstash and then Elasticsearch database. I have noticed from the data view that I miss some field type (i.e: geo_point). how can i make Elasticsearch learn Cisco ASA ECS to be rich with fields from all type and this must happen without filebeat integration, due to design restriction in my environment.

Thus, the traffic is flowing CISCO ASA -> Logstash -> Elasticsearch.

note, parsing is done on logstash filter.

Any suggestion on how to let elastic learn the ASA schema ?

Thanks in advance,
Elie

Rios · May 27, 2022, 8:31am

You have to add geo_ip plugin and do geo_ip mapping. Check link

Elie_Sbat · May 31, 2022, 9:49am

Hello,

I just linked the datastream to a predefined index template.

Elie_Sbat · June 6, 2022, 6:47am

Hello Rios,

Actually I tried to use your method but the user does have sufficient privilege to execute the command, I am using super user right. What privilege is needed ?

b

system · July 4, 2022, 6:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.