Logstash Core Plugin Firewall Patterns are outdated

DanMa · June 29, 2017, 5:40pm

Hey,

iam trying to built up a Syslog Solution for my ASA Firewall.

I use udp as Input..

I use this grok filter (and i get everytime a _grokparsefailure):
%{CISCO_TAGGED_SYSLOG}%{GREEDYDATA:cisco_message}

After my comparison and a research of old tutorials it seems to be that cisco changed the style of the syslog message.
Old Style: <134>Sep 02 2014 11:50:10: %ASA-6-302013: Built inbound TCP connection 123456789 for inside:10.0.1.1/1234 (10.0.1.1/1234) to outside:10.0.2.2/80 (10.0.2.2/80)
New Style: 2017-06-29T16:40:54.582Z 1.2.3.4 <167>%ASA-7-710006: VRRP request discarded from 190.4.23.5 to OUTSIDE:224.0.0.10

The Logstash Core Plugin includes also only the Patterns for the old syslog style:
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})?: %%{CISCOTAG:ciscotag}: CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME} CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)

Has anyone a Information when the core plugin would be updated?

Best Regards

Daniel

jsvd · June 30, 2017, 9:24am

The old format will always have to be supported but I agree it's useful to also support new formats. Are you willing to submit a PR to https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/firewalls#L5 that adds a new pattern? Testing is also super easy

It'd be most welcome!

system · July 28, 2017, 9:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.