Fetching Cisco , Firewall logs from syslog-ng server

I have a syslog-ng server which gathers data from Cisco Router, switches, netflow data and firewall related data .

The data is stored as flat files. Now, i am looking to send those to ELK SIEM .

I see that i can use filebeat and but no idea how can i set it up to fetch from a particular location and how to parse the data to make it SIEM compatible.

Also, do i need logstash to make the data SIEM compatible.

Thanks,

Hi @Ajay_Singh2, you can install Filebeat on your syslog-ng server to ship the data to Elastic SIEM in Elastic Common Schema format.

Once you install Filebeat you can simply enable the Cisco module to ship the data to Elastic. The module can be configured to read from a file path, e.g. /var/log/cisco-asa.

Logstash is not required to make the data SIEM compatible. Filebeat can ship the data directly, for use within Elastic SIEM.

Hi @jamie.hynds

That makes sense, but i have lot of devices logging to the syslog-ng servers .
Two questions i have here:

  1. can i define the path separated by commas, or i can define line by line.
  2. how will ELK get the hostname of the cisco device ?

Currently, folders generated are in below format:
/opt/syslog/<hostname>/<date>.log

Thanks in Advance !!!!!!

  1. You can define the paths line by line and wildcards are also supported (e.g. /ops/syslog//.log). You can view some examples of filebeat.yml configs here.

  2. The Filebeat module will only parse the origin IP address within the Cisco syslog. A DNS processor is available to perform DNS requests for hostnames, however this is not enabled by default.

To add a suggestion for your second question, if the hostname is in the file path, Filebeat puts the path in the log.file.path field, and you can use the dissect processor in an Ingest Node pipeline to extract it from there.

Thanks you @tudor @jamie.hynds,

I am waiting for my cisco admin to enable syslog and then i will test the solution out.

Another quick question regarding fortinet firewall. I have fortinet sending to syslog-ng , where Filebeat is installed. I see fortinet filebeat module is a x-pack and is not free.
Is there any alternative way to use filebeat to ingest and parse fortinet firewall logs and make it SIEM comptiable. (also i dont have a logstash)

Thanks in Advance !!!!

Fortinet is included under the Elastic Basic license, which is free. SIEM is included in this license also. You can view all the available Subscriptions here. The out-of-the-box integrations are listed under the Data Ingest section of that doc.

@jamie.hynds I have enabled x-pack on elasticSearch. How to translate that to Filebeat so that it can display x-pack modules ?

I have a standard SAAS subscription.

@jamie.hynds I have downloaded fortinet module from GitHub. After ingestion, fields are not getting poplutated (fields mentioned in filebeat docs) and timestamp is not getting extracted.

Logs Sample:
2019-09-11T07:11:08-04:00 10.201.31.3 date=2019-09-11 time=14:08:52 devname=test devid=abcd logid=0000000013 type=traffic subtype=forward ....

Do i need to add grok filters to extract timestamp and key value pair fields?

Sorry for silly questions, i am a splunk admin where add-on parse data :frowning:

Is there a way I can parse data without logstash ?

@tudor
can you help me with the syntax , here is what i have:

PUT _ingest/pipeline/my_pipeline_id
{
  "description" : "describe pipeline",
  "processors" : [
    {
      "dissect" : {
        "tokenizer": "/opt/%{host.name}/",
        "field": "log.file.path"
      }
    }
  ]
}

I still see the localhost in host.name instead of the one it processes from log.file.path

I have ran this through Kibanna UI

@tudor i finally got it:

PUT _ingest/pipeline/testpipeline
{
  "description" : "describe pipeline",
  "processors" : [
    {
      "dissect" : {
        "pattern": "/opt/%{host.name}/",
        "field": "log.file.path"
      }
    }
  ]
}

Thanks

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.