Elasticsearch mappings for ASA

Elastic Stack Elasticsearch
1

I am new to using the Elastic stack. What is most important to me is to collect firewall logs from an ASA. One of the challenges is that I cannot not search for networks in the logs because the IP addresses are mapped to a text field.

{
  "logstash-2019.12.05" : {
    "mappings" : {
      "dst_ip" : {
        "full_name" : "dst_ip",
        "mapping" : {
          "dst_ip" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }
        }
      }
    }
  }
}

What I think I want it to be

 },
      "dst_ip": {
        "type": "ip"
      },

I get an error when I try to install the template. I have to add the template in a separate post because I am exceeding the amount of characters allowed.

PUT _template/asa_firewall_template
{
  "error": {
    "root_cause": [
      {
        "type": "parse_exception",
        "reason": "request body is required"
      }
    ],
    "type": "parse_exception",
    "reason": "request body is required"
  },
  "status": 400
}

What am I doing wrong and how do I fix this?

Thanks in advance.

2

Template can be found at:

4

Welcome!

Make sure you are running:

PUT _template/asa_firewall_template
{
  //...
}

And not:

PUT _template/asa_firewall_template

{
  //...
}
5

Thanks for your help. I get an error.

https://pastebin.com/DiN4JntH

6

I tried from the CLI too, but get the same error as above

# curl -XPUT http://localhost:9200/_template/asa_firewall_template?pretty -H 'Content-Type: application/json' -d @asa_firewall_template.json
7

I'd start by removing "_default_" Key.
Have a look at the documentation about the template API. There are some examples.

9

Thanks again for your help.

I have tried that, but still get the same error

PUT _template/asa_firewall_template
{
  "template" : "asa-firewall*",
  "version" : 50001,
  "settings" : {
    "index.refresh_interval" : "5s"
  },
    "mappings" : {
      "asa_template" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
          }
        },
//....

I have also tried loading the index and a few mappings separately and it works this far.

PUT /asa-firewall

and then

PUT /asa-firewall/_mapping
{ 
      "properties" : {
        "@timestamp" : {
          "type" : "date"
          }
        }
      }

And

PUT /asa-firewall/_mapping
{
"properties": { 
 "err_icmp_code" : {
  "type" : "text",
    "fields" : {
      "keyword" : {
        "type" : "keyword",
          "ignore_above" : 256
      }
    }
  }
 }
}

This is working thus far

GET asa-firewall/_mapping
{
  "asa-firewall" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "err_icmp_code" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
      }
    }
  }
}
10

I think you need to remove "asa_template". There's no more type name to set in 7.x version.

11

Tried it same error.

I also tried just placing the mappings to the index.

Mappings:
https://pastebin.com/vm0K2pTt

But I get the following error.
https://pastebin.com/fU3GyhyY

12

I got it working!

All I can say is that format is a killer and one must use a json validator with a good editor that can match brackets, I used VIM. And even if it is valid, it still may not be valid for Elastic. This was the case for me.

When I remove "default" I removed the wrong closing bracket.

Here is revised template.

Thanks dadoonet for the help.

13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.