Grok Filter Pattern Hostname OR IP

mgotechlock · September 23, 2019, 10:40pm

Newb question. Parsing a Cisco ASA log. I've noticed some of my logs don't match the built in parsers. Here is one in particular, 305011.
This is the default pattern.
CISCOFW305011 %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?((%{DATA:src_fwuser}))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}

My log that fails to parse looks like
{"message":"<166>Sep 23 2019 16:14:47 xxx-fw-p01 : %ASA-6-305011: Built dynamic TCP translation from outside:10.1.1.27/49387(LOCAL\smeyer) to outside:outside-asa/49387\n","host":"99.99.99.51","@version":"1","tags":["_grokparsefailure"],"@timestamp":"2019-09-23T21:16:07.514Z"}

From using http://grokdebug.herokuapp.com/, I deduced that it fails to match because, for example, the filter is looking for an IP when the log presents a hostname. I managed to get it to match if I change the end of the filter to %{WORD:src_xlated_interface}:%{DATA:src_xlated_ip}/%{INT:src_xlated_port} instead of %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}.

I would not have expected to need to edit the built in patterns. Plus, I have no idea if the second Cisco ASA I log to it might match the 1st or the 2nd pattern. I don't particularly want to manage multiple permutations of every possible pattern. Do other people have this problem? Are people editing the built in patterns?

Badger · September 23, 2019, 11:03pm

You can replace %{IP:someField} with %{IPORHOST:someField} so that it will match an IP first and if that fails a HOSTNAME.

That said, I am very, very, very surprised that a firewall would log a name in preference to an IP address, since it places a huge reliance on DNS working properly.

Thinking about that, is it possible you have the mapping configured with a name when the best practice is to use an IP? If you do not understand why mapping to a name might be a bad idea you should probably stop doing it.

mgotechlock · September 24, 2019, 12:40am

IPORHOST would work for the IP or Hostname problem. But it doesnt solve the other fields that I had to change from DATA to WORD or DATA to INT. However, I didn't know about IPORHOST so that was helpful.

Unfortunately, I do not have control over the firewall conventions. I have to take the logs as I get them.

system · October 22, 2019, 12:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.