Elastic common schema for Cisco ASA

Elie_Sbat · May 26, 2022, 3:41pm

Hello Gents,

I am using ELK stack v8 and I am integrating Cisco ASA syslog directly to logstash and then Elasticsearch database. I have noticed from the data view that I miss some field type (i.e: geo_point). how can i make Elasticsearch learn Cisco ASA ECS to be rich with fields from all type and this must happen without filebeat integration, due to design restriction in my environment.

Thus, the traffic is flowing CISCO ASA -> Logstash -> Elasticsearch.

note, parsing is done on logstash filter.

Any suggestion on how to let elastic learn the ASA schema ?

Thanks in advance,
Elie

Rios · May 27, 2022, 8:31am

You have to add geo_ip plugin and do geo_ip mapping. Check link

Elie_Sbat · May 31, 2022, 9:49am

Hello,

I just linked the datastream to a predefined index template.

Elie_Sbat · June 6, 2022, 6:47am

Hello Rios,

Actually I tried to use your method but the user does have sufficient privilege to execute the command, I am using super user right. What privilege is needed ?

b

system · July 4, 2022, 6:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Common Schema Implementation Elasticsearch ecs-elastic-common-schema	5	2813	March 14, 2019
Syslog Cisco ASA Elasticsearch	3	3020	March 18, 2017
Logstash Patterns - Firewalls - Best Place to Find it Logstash	5	2729	August 13, 2020
Index ASA logs Logstash	7	1957	July 6, 2017
Cisco ASA Logging to Elastic Stack Elasticsearch	4	2901	May 1, 2020

Elastic common schema for Cisco ASA

Related topics