Elasticsearch mappings for ASA

Elastic Stack Elasticsearch
1

I am new to using the Elastic stack. What is most important to me is to collect firewall logs from an ASA. One of the challenges is that I cannot not search for networks in the logs because the IP addresses are mapped to a text field.

{
  "logstash-2019.12.05" : {
    "mappings" : {
      "dst_ip" : {
        "full_name" : "dst_ip",
        "mapping" : {
          "dst_ip" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }
        }
      }
    }
  }
}

What I think I want it to be

 },
      "dst_ip": {
        "type": "ip"
      },

I get an error when I try to install the template. I have to add the template in a separate post because I am exceeding the amount of characters allowed.

PUT _template/asa_firewall_template
{
  "error": {
    "root_cause": [
      {
        "type": "parse_exception",
        "reason": "request body is required"
      }
    ],
    "type": "parse_exception",
    "reason": "request body is required"
  },
  "status": 400
}

What am I doing wrong and how do I fix this?

Thanks in advance.

2

Template can be found at:

4

Welcome!

Make sure you are running:

PUT _template/asa_firewall_template
{
  //...
}

And not:

PUT _template/asa_firewall_template

{
  //...
}
5

Thanks for your help. I get an error.

https://pastebin.com/DiN4JntH

6

I tried from the CLI too, but get the same error as above

# curl -XPUT http://localhost:9200/_template/asa_firewall_template?pretty -H 'Content-Type: application/json' -d @asa_firewall_template.json
7

I'd start by removing "_default_" Key.
Have a look at the documentation about the template API. There are some examples.

9

Thanks again for your help.

I have tried that, but still get the same error

PUT _template/asa_firewall_template
{
  "template" : "asa-firewall*",
  "version" : 50001,
  "settings" : {
    "index.refresh_interval" : "5s"
  },
    "mappings" : {
      "asa_template" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
          }
        },
//....

I have also tried loading the index and a few mappings separately and it works this far.

PUT /asa-firewall

and then

PUT /asa-firewall/_mapping
{ 
      "properties" : {
        "@timestamp" : {
          "type" : "date"
          }
        }
      }

And

PUT /asa-firewall/_mapping
{
"properties": { 
 "err_icmp_code" : {
  "type" : "text",
    "fields" : {
      "keyword" : {
        "type" : "keyword",
          "ignore_above" : 256
      }
    }
  }
 }
}

This is working thus far

GET asa-firewall/_mapping
{
  "asa-firewall" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "err_icmp_code" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
      }
    }
  }
}
10

I think you need to remove "asa_template". There's no more type name to set in 7.x version.

11

Tried it same error.

I also tried just placing the mappings to the index.

Mappings:
https://pastebin.com/vm0K2pTt

But I get the following error.
https://pastebin.com/fU3GyhyY

12

I got it working!

All I can say is that format is a killer and one must use a json validator with a good editor that can match brackets, I used VIM. And even if it is valid, it still may not be valid for Elastic. This was the case for me.

When I remove "default" I removed the wrong closing bracket.

Here is revised template.

Thanks dadoonet for the help.