Error Filtre Grok (Cisco-Asa)


(Salma Ait Lhaj) #1

Hi,

Do you know why I'm getting this :

[root@frghcslnetv10 filebeat]# /usr/share/logstash/bin/logstash --config.reload.automatic --path.settings /etc/logstash -f /etc/logstash/conf.d/filtre-test.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
{
"@timestamp" => 2018-05-09T13:58:20.716Z,
"offset" => 251,
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_grokparsefailure"
],
"host" => "frghcslnetv10",
"@version" => "1",
"source" => "/tmp/test-file.log",
"message" => "May 9 04:23:13 frghcfwint01m-fw-cloud-common.fr.ghc.local %ASA-6-302014: Teardown TCP connection 2866265026 for int-850-intercoCorporateIOC:10.153.64.10/42082 to int-2400-IOCProdInternalZonePrimary:10.154.1.93/80 duration 0:00:00 bytes 1298 TCP FINs",
"beat" => {
"hostname" => "frghcslnetv10",
"version" => "6.2.4",
"name" => "frghcslnetv10"
},
"prospector" => {
"type" => "log"
}
}


(Salma Ait Lhaj) #2

My file is :

input {
beats {
port => "5044"
}
}

filter {
grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{CISCOTAG:cisco_tag}: %{GREEDYDATA:cisco_message}"}
}

    grok {
    match => [
      "cisco_message", "%{CISCOFW106001}",
      "cisco_message", "%{CISCOFW106006_106007_106010}",
      "cisco_message", "%{CISCOFW106014}",
      "cisco_message", "%{CISCOFW106015}",
      "cisco_message", "%{CISCOFW106021}",
      "cisco_message", "%{CISCOFW106023}",
      "cisco_message", "%{CISCOFW106100}",
      "cisco_message", "%{CISCOFW110002}",
      "cisco_message", "%{CISCOFW302010}",
      "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
      "cisco_message", "%{CISCOFW302020_302021}",
      "cisco_message", "%{CISCOFW305011}",
      "cisco_message", "%{CISCOFW313001_313004_313008}",
      "cisco_message", "%{CISCOFW313005}",
      "cisco_message", "%{CISCOFW402117}",
      "cisco_message", "%{CISCOFW402119}",
      "cisco_message", "%{CISCOFW419001}",
      "cisco_message", "%{CISCOFW419002}",
      "cisco_message", "%{CISCOFW500004}",
      "cisco_message", "%{CISCOFW602303_602304}",
      "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
      "cisco_message", "%{CISCOFW713172}",
      "cisco_message", "%{CISCOFW733100}",
      "cisco_message", "%{WORD:action} %{WORD:protocol} %{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}$
      "cisco_message", "%{CISCO_ACTION:action} %{WORD:protocol} %{CISCO_REASON:reason}.*(%{IP:src_ip}).*%{IP:dst_ip} on interface %{GREEDYDATA:interface}",
      "cisco_message", "Connection limit exceeded %{INT:inuse_connections}/%{INT:connection_limit} for input packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
      "cisco_message", "TCP Intercept %{DATA:threat_detection} to %{IP:ext_nat_ip}/%{INT:ext_nat_port}.*(%{IP:int_nat_ip}/%{INT:int_nat_port}).*Average rate of %{INT:syn_av$
      "cisco_message", "Embryonic connection limit exceeded %{INT:econns}/%{INT:limit} for %{WORD:direction} packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
    ]
  }

}
output {
elasticsearch {
hosts => [ "localhost:9200"]
}
stdout { codec => rubydebug }
}
1


#3

What is CISCOTAG? I can't see its definition.
Indeed if you use the following grok pattern it will work (i replaced ciscotag with data).

message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{DATA:cisco_tag}: %{GREEDYDATA:cisco_message}


(Salma Ait Lhaj) #4

May 9 04:22:33 frghcfwint01m-fw-cloud-common.fr.ghc.local %ASA-6-302014: Teardown TCP connection 2866226913 for int-802-IntercoDMZCorp:x.x.x.x/47348 to int-2400-IOCProdInternalZonePrimary:x.x.x.x/10050 duration 0:00:00 bytes 0 TCP FINs

" %{CISCOTAG:cisco_tag}: "=> " %ASA-6-302014: "


(Salma Ait Lhaj) #5

Thank you, it is working :slight_smile:


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.