GROK ASA Issues

Hey everyone,
I am a logstash/grok beginner and would love some help parsing my syslog from our ASA to create some tags. I have tried both the grok debugger on herokuapp and the dev tools in Kibana without luck. My syslog is:

%ASA-6-106100: access-list 100 denied udp outside/x.x.x.x(4500) -> inside/x.x.x.x(4500) hit-cnt 1 first hit [0x40c998bc, 0x00000000]

The custom file we are inputting is:

filter {
if [type] == "firewall" {
grok {
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}

  syslog_pri { }

}
}

We are receiving a _grokparsefailure using this as a base as well as adding:

 grok {
    match => ["cisco_message", "%{CISCOFW106100}"]
  }

Our hope is to have the following tags:
device_src: ASA-6-106100
Action: access-list 100 denied udp
OutsideIP:x.x.x.x(Outside IP)
OutsidePort:4500
InternalIP: x.x.x.x (Internal IP)
InternalPort:4500
HitCount: 1

Any and all help would be greatly appreciated!

input { generator { count => 1 lines => [ '%ASA-6-106100: access-list 100 denied udp outside/1.2.3.4(4500) -> inside/1.2.3.4(4500) hit-cnt 1 first hit [0x40c998bc, 0x00000000]' ] } }
filter {
    grok { match => { "message" => "%{CISCOFW106100}" } }
}

produces

"dst_interface" => "inside",
    "hit_count" => "1",
    "hashcode1" => "0x40c998bc",
     "src_port" => "4500",
    "policy_id" => "100",
    "hashcode2" => "0x00000000",
     "protocol" => "udp",
     "dst_port" => "4500",
       "action" => "denied",
"src_interface" => "outside",
     "interval" => "first hit",
       "dst_ip" => "1.2.3.4",
       "src_ip" => "1.2.3.4"

for me. You do not say what the incoming event looks like so I cannot speak to why the first grok might be failing.

Thank you so much! That populated the fields perfectly!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.