Hello , i am using elasticsearch and kibana on server centos 7 , i have configured beats directly sent to elasticsearch ( without need to configure logstash) and it works perfectly from both centos agents and windows agents , now i have to configure beats from Firewall cisco ASA next generation , do i have to configure logstash or i can do the same work as i did for both centos and windows ?
i am working on elasticsearch 6.8
Thank you
I saw in the elasticsearch 6.8 documentation, there's no information about direct ingestion using filebeat from Cisco ASA firewall.
If you want still use elasticsearch 6.8, I suggest using logstash that read from Cisco ASA log file.
You can send the Cisco ASA syslog to specific centralized syslog, then use logstash and build specific filter for Cisco ASA log format.
Regards,
Fadjar Tandabawana
this configuration should be on /etc/logstash/conf.d/10-syslog-filter.conf ?
posted as it is ? and on firewall should i do anything there ?
sorry for my questions but i didn't use logstash and configure firewall before this will be the first time !
-
Build centralized syslog as follow:
https://www.tecmint.com/create-centralized-log-server-with-rsyslog-in-centos-7/ -
Set your Cisco ASA firewall syslog, point to syslog on point 1.
-
Check the log file format
-
Build complete logstash configuration in /etc/logstash/conf.d/ and follow the documentation
https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html
If you have error message for the filter processing, you can ask help here...
If you don't want use logstash, upgrade the elasticsearch to the latest, because there's plugin for filebeat that direct read of Cisco devices.
https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cisco.html
Regards,
Fadjar Tandabawana
Thank you i will try it
I'm sending all Cisco asa firewall to filebeat without any issue. But you may need to update your elk stack. I'm using the latest version 7.8
Using both modules:
1 - Cisco
2 - Netflow
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.