Logstash Core Plugin Firewall Patterns are outdated


iam trying to built up a Syslog Solution for my ASA Firewall.

I use udp as Input..

I use this grok filter (and i get everytime a _grokparsefailure):

After my comparison and a research of old tutorials it seems to be that cisco changed the style of the syslog message.
Old Style: <134>Sep 02 2014 11:50:10: %ASA-6-302013: Built inbound TCP connection 123456789 for inside: ( to outside: (
New Style: 2017-06-29T16:40:54.582Z <167>%ASA-7-710006: VRRP request discarded from to OUTSIDE:

The Logstash Core Plugin includes also only the Patterns for the old syslog style:
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})?: %%{CISCOTAG:ciscotag}: CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME} CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)

Has anyone a Information when the core plugin would be updated?

Best Regards


The old format will always have to be supported but I agree it's useful to also support new formats. Are you willing to submit a PR to https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/firewalls#L5 that adds a new pattern? Testing is also super easy

It'd be most welcome!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.