Hey everyone,
I am a logstash/grok beginner and would love some help parsing my syslog from our ASA to create some tags. I have tried both the grok debugger on herokuapp and the dev tools in Kibana without luck. My syslog is:
%ASA-6-106100: access-list 100 denied udp outside/x.x.x.x(4500) -> inside/x.x.x.x(4500) hit-cnt 1 first hit [0x40c998bc, 0x00000000]
The custom file we are inputting is:
filter {
if [type] == "firewall" {
grok {
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}
syslog_pri { }
}
}
We are receiving a _grokparsefailure using this as a base as well as adding:
grok {
match => ["cisco_message", "%{CISCOFW106100}"]
}
Our hope is to have the following tags:
device_src: ASA-6-106100
Action: access-list 100 denied udp
OutsideIP:x.x.x.x(Outside IP)
OutsidePort:4500
InternalIP: x.x.x.x (Internal IP)
InternalPort:4500
HitCount: 1
Any and all help would be greatly appreciated!