Getting Error from Filebeat 7.3.2 related to CISCO module. Sending Cisco ASA logs to Filebeat / Cisco module.
I have read several threads here on elastic, stackoverflow, and other random sites. Not finding a clear solution.
Cisco ASA Config Info
- Not using syslog in EMBLEM format
- Send Syslog to Filebeat using UDP/9001
- Syslog format; Facility Code LOCAL4(20)
- Include timestamps in syslogs is NOT enabled
filebeat.yml Config Info
filebeat.inputs:
- type: log
enabled: true
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
paths:
- /var/log/*.log
output.elasticsearch:
hosts: ["localhost:9200"]
Cisco.yml Config Info
- module: cisco
asa:
enabled: true
var.input: syslog
var.syslog_host: 0.0.0.0
var.syslog_port: 9001
var.log_level: 7
ios:
enabled: true
var.input: syslog
var.syslog_host: 0.0.0.0
var.syslog_port: 9002
Error found when typing: (I replaced IP info and names with XXX)
sudo systemctl status filebeat
Oct 21 15:03:06 prod-elk filebeat[4367]: 2019-10-21T15:03:06.615-0500 ERROR [syslog] syslog/input.go:132 can't parse event as syslog rfc3164 {"message": "<166>asa5520 %ASA-6-106100: access-list inside-in permitted tcp inside/XXXXX(59641) -> outside/54.243.56.217(80) hit-cnt 1 first hit [0x2fe1648d, 0x1f4b0d90]\n"}