Firewall cisco ASA and beats

Feriel_Mufti · July 2, 2020, 10:36am

Hello , i am using elasticsearch and kibana on server centos 7 , i have configured beats directly sent to elasticsearch ( without need to configure logstash) and it works perfectly from both centos agents and windows agents , now i have to configure beats from Firewall cisco ASA next generation , do i have to configure logstash or i can do the same work as i did for both centos and windows ?
i am working on elasticsearch 6.8
Thank you

fadjar340 · July 2, 2020, 10:44am

I saw in the elasticsearch 6.8 documentation, there's no information about direct ingestion using filebeat from Cisco ASA firewall.
If you want still use elasticsearch 6.8, I suggest using logstash that read from Cisco ASA log file.
You can send the Cisco ASA syslog to specific centralized syslog, then use logstash and build specific filter for Cisco ASA log format.

gist.github.com

https://gist.github.com/mrlesmithjr/791dc72d3c92ac21342f

logstash_cisco_asa

# Cisco ASA
filter {
  if "syslog" in [tags] and "pre-processed" not in [tags] {
    if "%ASA-" in [message] {
      mutate {
        add_tag => [ "pre-processed", "Firewall", "ASA" ]
      }
      grok {
        match => [
          "message", "<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp} %{SYSLOGHOST:sysloghost} %%{CISCOTAG:cisco_tag}: %{GREEDYDATA:cisco_message}"

This file has been truncated. show original

Regards,
Fadjar Tandabawana

Feriel_Mufti · July 2, 2020, 10:50am

this configuration should be on /etc/logstash/conf.d/10-syslog-filter.conf ?
posted as it is ? and on firewall should i do anything there ?
sorry for my questions but i didn't use logstash and configure firewall before this will be the first time !

fadjar340 · July 2, 2020, 10:55am

Build centralized syslog as follow:
https://www.tecmint.com/create-centralized-log-server-with-rsyslog-in-centos-7/
Set your Cisco ASA firewall syslog, point to syslog on point 1.
Check the log file format
Build complete logstash configuration in /etc/logstash/conf.d/ and follow the documentation
https://www.elastic.co/guide/en/logstash/current/getting-started-with-logstash.html

If you have error message for the filter processing, you can ask help here...

If you don't want use logstash, upgrade the elasticsearch to the latest, because there's plugin for filebeat that direct read of Cisco devices.
https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cisco.html

Regards,
Fadjar Tandabawana

Feriel_Mufti · July 2, 2020, 4:11pm

Thank you i will try it

francescouk · July 8, 2020, 4:28pm

I'm sending all Cisco asa firewall to filebeat without any issue. But you may need to update your elk stack. I'm using the latest version 7.8
Using both modules:
1 - Cisco
2 - Netflow

system · August 5, 2020, 6:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.