Grok failure with Cisco ASA using built-in plugin


#1

So we have huge number of documents with the tag "_grokparsefailure" and i think i figured out why.

We have Cisco ASA and we are using the following filter:

filter {
  if "syslog" in [tags] and "pre-processed" not in [tags] {
    if "%ASA-" in [message] {
      mutate {
        add_tag => [ "pre-processed", "Firewall", "ASA" ]
      }
      grok {
        match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
      }
      syslog_pri { }

        if "_grokparsefailure" not in [tags] {
          mutate {
          rename => ["cisco_message", "message"]
          remove_field => ["timestamp"]
          }
        }

 grok {
      match => [
        "message", "%{CISCOFW106001}",
        "message", "%{CISCOFW106006_106007_106010}",
        "message", "%{CISCOFW106014}",
        "message", "%{CISCOFW106015}",
        "message", "%{CISCOFW106021}",
        "message", "%{CISCOFW106023}",
        "message", "%{CISCOFW106100}",
        "message", "%{CISCOFW110002}",
        "message", "%{CISCOFW302010}",
        "message", "%{CISCOFW302013_302014_302015_302016}",
        "message", "%{CISCOFW302020_302021}",
        "message", "%{CISCOFW305011}",
        "message", "%{CISCOFW313001_313004_313008}",
        "message", "%{CISCOFW313005}",
        "message", "%{CISCOFW402117}",
        "message", "%{CISCOFW402119}",
        "message", "%{CISCOFW419001}",
        "message", "%{CISCOFW419002}",
        "message", "%{CISCOFW500004}",
        "message", "%{CISCOFW602303_602304}",
        "message", "%{CISCOFW710001_710002_710003_710005_710006}",
        "message", "%{CISCOFW713172}",
        "message", "%{CISCOFW733100}"
      ]
    }

    }
  }
}

However, i noticed that all the documents with the _grokparsefailure tag have no "ciscotag" added to it. The cisco tag comes from "CISCO_TAGGED_SYSLOG" and i noticed that it checks for a timestamp, our messages dont contain a timestamp:

Deny tcp src INSIDE-VRF4100:123.123.123.123/49733 dst SDN-VRF110:123.124.14.124/80 by access-group "INSIDE-VRF4100_access_in" [0x73808163, 0x4d11f759]

I think this is why we have millions of documents with the _grokparsefailure tag. How can we fix this?

EDIT: I added so that if the logs had _grokparsefailure in the tags, it would output the messages to a file and this is what i got (some of it):

{"src_ip":"123.123.123.123","host":"123.123.123.123","tags":["syslog","pre-processed","Firewall","ASA","_grokparsefailure"],"duration":"0:00:00","@version":"1","protocol":"TCP","syslog_severity":"notice","cendotServiceName":"tjosan","syslog_facility":"user-level","cendotSID":"123123","connection_id":"2702609852","@timestamp":"2018-07-05T08:03:35.125Z","dst_interface":"WEB-VRF4990","src_port":"9604","cendotFQDN":"server.fqdn","dst_port":"80","reason":"TCP Reset","message":"<166>%ASA-6-302014: Teardown TCP connection 2702609852 for LB-IN:123.123.123.123/9604 to WEB-VRF4990:123.123.123.123/80 duration 0:00:00 bytes 2119 TCP Reset-O from LB-IN\n","src_interface":"LB-IN","action":"Teardown","dst_ip":"123.123.213.123","syslog_severity_code":5,"bytes":"2119","syslog_facility_code":1}


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.