Filebeat Cisco Module Nexus dissect_parsing_error

Not sure why these logs are not being parsed correctly. Are the optimized access logging logs not supported by the module?

Please share more details about the issue like configuration you're using, stack version, use case.

Stack version is 7.11.0
The filebeat cisco module is configure as follows, basically the default

  enabled: true
  var.syslog_host: <ip address>
  var.syslog_port: <port>

The cisco nexus devices have the following configuration

logging level acllog 5
logging server <ip address> 5 port <port> use-vrf default facility syslog
logging origin-id hostname
logging ip access-list cache entries 8000
logging ip access-list cache interval 300
logging ip access-list cache threshold 0

I believe it is intended to parse these out into fields such as src_ip, dst_ip, src_port, dst_port, etc. I would like to be able to use this info in dashboards to breakdown by the traffic that is being blocked. Then I can search by IP and see if certain traffic is being blocked by these ACLs.

I updated to version 7.12 and am seeing the same behavior.

It's possible that the format of the logs isn't matching the patterns currently in the module. Take a look here,

It looks like it should match on line 140 of the pipeline.js

var dup59 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}");

Here is an example of an original event that should match but is flagging as dissect_parsing_error

<45>DeviceName: 2021 Apr  8 09:02:58 CDT: %ACLLOG-5-ACLLOG_FLOW_INTERVAL: Src IP:, Dst IP:, Src Port: 0, Dst Port: 0, Src Intf: Ethernet1/15, Protocol: "ICMP"(1), Hit-count = 4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.