I've been getting grok parse failures for these messages.
"message": "<164>Nov 05 2019 12:46:04 NGFW1-IPICHIC : %ASA-4-434003: SFR requested to reset TCP connection from outside:13.249.87.36/443 to inside:38.142.127.155/60366\n"
They parse correctly on the different grok debuggers online however these same patterns result in grok parse failures in logstash.
my pattern is this
SFR_ACTION requested to drop|requested to reset|requested ASA to bypass further packet redirection and process
CISCOFW434003 %{WORD:module} %{SFR_ACTION:sfr_action} %{WORD:protocol} connection from %{WORD:ingress_interface}(:)?%{IPV4:src_ip}(/)?%{INT:src_port} to %{WORD:egress_interface}(:)?%{IP:dst_ip}(/)?%{INT:dst_port}
my logstash.conf
input {
Receive Cisco ASA logs on the standard syslog UDP port 514
udp {
port => "8514"
type => "cisco-asa"
}
}
filter {
if [type] == "cisco-asa" {
# Split the syslog part and Cisco tag out of the message
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns/asa/patterns-asa"]
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}
# Parse the syslog severity and facility
syslog_pri { }
# Parse the date from the "timestamp" field to the "@timestamp" field
date {
match => ["timestamp",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss"
]
timezone => "America/Chicago"
}
# Clean up redundant fields if parsing was successful
if "_grokparsefailure" not in [tags] {
mutate {
rename => ["cisco_message", "message"]
remove_field => ["timestamp"]
}
}
# Extract fields from the each of the detailed message types
# The patterns provided below are included in Logstash since 1.2.0
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns/asa/patterns-asa"]
match => [
"message", "%{CISCOFW106001}",
"message", "%{CISCOFW106006_106007_106010}",
"message", "%{CISCOFW106014}",
"message", "%{CISCOFW106015}",
"message", "%{CISCOFW106021}",
"message", "%{CISCOFW106023}",
"message", "%{CISCOFW106100}",
"message", "%{CISCOFW110002}",
"message", "%{CISCOFW111001_111007}",
"message", "%{CISCOFW111008}",
"message", "%{CISCOFW111010}",
"message", "%{CISCOFW113019}",
"message", "%{CISCOFW209005}",
"message", "%{CISCOFW302010}",
"message", "%{CISCOFW302013_302014_302015_302016}",
"message", "%{CISCOFW302020_302021}",
"message", "%{CISCOFW305011}",
"message", "%{CISCOFW313001_313004_313008}",
"message", "%{CISCOFW313005}",
"message", "%{CISCOFW402117}",
"message", "%{CISCOFW402119}",
"message", "%{CISCOFW419001}",
"message", "%{CISCOFW419002}",
"message", "%{CISCOFW434002}",
"message", "%{CISCOFW434003}",
"message", "%{CISCOFW434004}",
"message", "%{CISCOFW500004}",
"message", "%{CISCOFW602303_602304}",
"message", "%{CISCOFW710001_710002_710003_710005_710006}",
"message", "%{CISCOFW713172}",
"message", "%{CISCOFW722033}",
"message", "%{CISCOFW733100}",
"message", "%{CISCOFW737034}",
"message", "%{CISCOFW725001_725002_725007}",
"message", "%{CISCOFW305006}",
"message", "%{CISCOFW321006}",
"message", "%{CISCOFW604103}",
"message", "%{CISCOFW771002}",
"message", "%{CISCOFW607001}",
"message", "%{CISCOFW305013}",
"message", "%{CISCOFW711004}"
]
}
geoip {
source => "src_ip"
target => "geoip"
}
if "_grokparsefailure" not in [tags] {
mutate {
remove_field => ["message"]
}
}
}
}
output {
elasticsearch {
hosts => ["https://localhost:9200"]
manage_template => true
ilm_enabled => "auto"
ilm_rollover_alias => "cisco-asa"
ilm_pattern => "000001"
ilm_policy => "cisco_asa_rollover_policy"
index => "logstash-asa"
#document_type => "%{type}"
#document_id => "%{fingerprint}"
}
}