Filebeat syslog parse error

Filebeat is giving errors while parsing syslog messages from ASA.

ERROR [syslog] syslog/input.go:132 can't parse event as syslog rfc3164 {"message": "<165>:Jul 10 07:10:12 IST: %ASA-config-5-111010: User 'XXXXX', running 'N/A' from IP 172.x.x.x, executed 'write memory'\n"}

can someone help?

The syslog input is rather strict in what it accepts (RFC3164). Alternatively you can use the UDP (or TCP) input and do the actual parsing using dissect or grok via Logstas/Ingest Node.

i am not sending ASA syslog messages to logstash directly. I am using Cisco module in filebeat to parse and send it to logstash. This error is in the filebeat not logstash.

Hi @mancharagopan,

What's confusing the syslog input is the timestamp format being used, it's not compatible with RFC3164. We're finding that Cisco ASA devices come configured with different syslog formats that confuse Filebeat. In this case, there are two problems:

  • The timestamp is surrounded by colons :Jul 10 07:10:12 IST:
  • Once that is fixed, the timezone (IST) is going to be treated as the hostname part of the message. It should be removed and hostname added.

Which device are these logs coming from? Are the syslog messaging straight from the device or are they passing through another device that could be modifying the format?

Please have a look at your device configuration settings to see if you can modify the date format

1 Like

Syslog messages are coming straightly from ASA Firewall 5505, ASA 8.4(3).
Do i have to include hostname or the ip address of the firewall?

I removed timestamp and added hostname to the syslog message. but i am still receiving parsing error.
syslog/input.go:132 can't parse event as syslog rfc3164 {"message": "<166>hostname-FW %ASA-6-113012: AAA user authentication Successful : local database : user = user1\n"}

I don't know what is that <166> in front of the message and i don't know how to remove that.

The <166> is the syslog priority, which is not a problem.

Can you find a way to keep the timestamp but in a different format?

What format do you suggest?

I don't have an ASA Firewall to play with, but by looking at a manual I found online, it doesn't look like you can change the timestamp format. We have to update the syslog message parser to make it support more formats.

In the mean time, I had some success by doing this change:

diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml
index 32e87abc8..9d23b77f2 100644
--- a/x-pack/filebeat/module/cisco/asa/config/input.yml
+++ b/x-pack/filebeat/module/cisco/asa/config/input.yml
@@ -1,8 +1,7 @@
 {{ if eq .input "syslog" }}

-type: syslog
-protocol.udp:
-  host: "{{.syslog_host}}:{{.syslog_port}}"
+type: udp
+host: "{{.syslog_host}}:{{.syslog_port}}"

( This file is probably /etc/filebeat/module/cisco/asa/config/input.yml in your installation, or C:\program files\filebeat\module\... in Windows )

But you will lose the original timestamp in the messages as it won't be parsed.

I will create an issue to support more syslog formats.

Edit: we have this https://github.com/elastic/beats/issues/6872

1 Like

Thank you, this looks to have fixed the problem for me.
timestamp looks the same to me

Before Patch:
@timestamp:
Jul 31, 2019 @ 10:29:59.974

After Patch:
@timestamp:
Jul 31, 2019 @ 11:04:45.926

*I now see that log.source.address is detected as the asa ip address.
^Has nothing to do with actual traffic being passed from source or destination.
It's probably has to do with the message type is not yet support. O
Everything that was previously recognized is still recognized correctly.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.