Filebeat 7.3.2 Cisco Module Parsing issue for ASA Syslog rfc3164

Getting Error from Filebeat 7.3.2 related to CISCO module. Sending Cisco ASA logs to Filebeat / Cisco module.

I have read several threads here on elastic, stackoverflow, and other random sites. Not finding a clear solution.

Cisco ASA Config Info

  • Not using syslog in EMBLEM format
  • Send Syslog to Filebeat using UDP/9001
  • Syslog format; Facility Code LOCAL4(20)
  • Include timestamps in syslogs is NOT enabled

filebeat.yml Config Info

filebeat.inputs:
- type: log
  enabled: true
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1 
  paths:
    - /var/log/*.log
output.elasticsearch:
  hosts: ["localhost:9200"]

Cisco.yml Config Info

- module: cisco
  asa:
    enabled: true   
    var.input: syslog
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001
    var.log_level: 7
ios:
   enabled: true
   var.input: syslog
   var.syslog_host: 0.0.0.0
   var.syslog_port: 9002

Error found when typing: (I replaced IP info and names with XXX)

sudo systemctl status filebeat
Oct 21 15:03:06 prod-elk filebeat[4367]: 2019-10-21T15:03:06.615-0500        ERROR        [syslog]        syslog/input.go:132        can't parse event as syslog rfc3164        {"message": "<166>asa5520 %ASA-6-106100: access-list inside-in permitted tcp inside/XXXXX(59641) -> outside/54.243.56.217(80) hit-cnt 1 first hit [0x2fe1648d, 0x1f4b0d90]\n"}

Hello! Unfortunately the problem you're seeing is that your Cisco logs aren't Syslog rfc3164, they're Syslog rfc5424, a newer standard that Filebeat doesn't support yet. You may be able to change your Cisco settings to use rfc3164 instead. You can also chime in on the feature request to support rfc5424, which will help increase its priority :slight_smile:

Thank you @faec
This helps clear up many of the other threads i was reading.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.