Message "failed to find message" event.dataset "cisco.asa"

Elastic Stack Beats
1

Hello,

I have a problem with displaying parsed logs inside Kibana.

I am using Filebeat Cisco module to inser logs from file to Elasticsearch

I can see index of Filebeat

image
image1062×135 8.75 KB

My Filebeat Cisco module configuration configuration is

`- module: cisco
asa:
enabled: true
var.paths: ["/var/log/syslog/asa1.log","/var/log/syslog/asa2.log"]
var.input: "file"
# Set which input to use between syslog (default) or file.
#var.input: syslog

# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
# var.syslog_host: localhost

# The UDP port to listen for syslog traffic. Defaults to 9001.
#var.syslog_port: 514

# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
#var.log_level: 5

ftd:
enabled: true

# Set which input to use between syslog (default) or file.
#var.input: syslog

# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost

# The UDP port to listen for syslog traffic. Defaults to 9003.
#var.syslog_port: 9003

# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
#var.log_level: 7

ios:
enabled: true

# Set which input to use between syslog (default) or file.
#var.input: syslog

# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: localhost

# The UDP port to listen for syslog traffic. Defaults to 9002.
#var.syslog_port: 9002

# Set custom paths for the log files when using file input. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:`

Inside Kibana/Siem i can only see

image
image1845×904 129 KB

and that's how logs looks inside Kibana

image
image871×447 38.3 KB

Default Cisco Asa Dashborad has no data

image
image1757×712 36.3 KB

How can I approach debugging of this issue?

2

Hello,

I have checked today's the logs output and I can see some log messages in the feed.

image
image1466×190 31.2 KB

Is then failed to find a message something "normal"? How can I get ride of IT?

I am on Filebeat,Elasticsearch,Kibana version .x86_64 7.6.2-1 Centos 7

3

Is this maybe a problem with encoding? My logs are in

# file -i /var/log/syslog/Asa1.log
/var/log/syslog/Asa1.log: text/plain; charset=us-ascii

4

After reading this post I Issued "logging device-id hostname" command on the ASA devices.

Now I can see below messages in the "Logs" tab

image
image1336×158 27.3 KB

I sarted to see Network events from Filebeat Cisco module in SIEM

image
image1432×298 23.3 KB

I also see that not all logs are passed correctly. Is this behavior a bug or I can help Filebeat by issuing some command on an ASA?

image
image1516×561 100 KB

I can see now some data in default dashboard

image
image1871×846 49 KB

Is it proper to have config like below or should i delete the paths for asa or ftd?

  • module: cisco
    asa:
    enabled: true
    var.paths: ["/var/log/syslog/ASA1.log","/var/log/syslog/ASA2.log"]
    var.input: "file"

    ftd:
    enabled: true
    var.paths: ["/var/log/syslog/ASA1.log","/var/log/syslog/ASA2.log"]
    var.input: "file"

5

Glad to see you found a solution for your initial problem.

Regarding the parsing errors for some messages, can you share an anonymized version of their event.original field along with error.message? This will help a lot in fixing the problem.

Also, for your sample configuration, the FTD parses all the messages in ASA plus a few more, so you can ingest this file using only the ftd fileset and disable asa, otherwise you'll have a lot of duplicates.

6

Hello Adrian,

thank you for your replay

Do you want this data in other format or anonymized in other way?

Additionally I have deleted the old Filebeat index and restarted filebeat elasticsearch and kibana services.

image
image1869×927 107 KB

I also noticed after deleting files path config from Asa part in cisco.yml file I stopped seeing new data inside ASA Firewall dashboard. Is there a way to no duplicate entries?

image
image1754×745 54.4 KB

7

After some proper configuration, I can see all the dashboard field with data.

In filebeat journal I can read.

May 27 19:45:28 pl-.pl filebeat[1052]: 2020-05-27T19:45:28.850+0200 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfabc7abe6e600a0, ext:2375418903539, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-cisco-asa-asa-ftd-pipeline"}, Fields:{"agent":{"ephemeral_id":"d5ac0651-7fa2-41cb-92ce-d6f1a5f67de7","hostname":"pl-s950net-tools.cp.pl","id":"4b069842-f4a1-4420-9a89-7e093d2cba6f","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"cisco.asa","module":"cisco","timezone":"+02:00"},"fileset":{"name":"asa"},"host":{"architecture":"x86_64","containerized":false,"hostname":"pl-s950net-tools.cp.pl","id":"41c28f6d08964fcab092cb65e2cc5c18","ip":["ip"],"mac":["00:50:56:","f6:f5:d8:6"],"name":"pl-.pl","os":{"codename":"Core","family":"redhat","kernel":"3.x86_64","name":"CentOS Linux","platform":"centos","version":"7 (Core)"}},"input":{"type":"log"},"log":{"file":{"path":"/var/log/syslog/FWName.log"},"offset":9165815},"message":"2020-05-27T18:45:17+02:00 FWname : %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::101:1ff:fe00:2/0 laddr fe80::200:1ff:fe00:1/0 type 134 code 0 ","service":{"type":"cisco"},"tags":["cisco-asa"]}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000593d40), Source:"/var/log/syslog/FWname.log", Offset:9165984, Timestamp:time.Time{wall:0xbfabc55f148feb00, ext:20111271980, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x10004a37, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [source.nat.ip] of type [ip] in document with id 'JOQ9V3IB7flxVIMxNW6c'. Preview of field's value: ':200:1ff:fe00:1'","caused_by":{"type":"illegal_argument_exception","reason":"':201:1fa:fe10:1' is not an IP string literal."}}

Should that happen?

8

Hi Adrian,

I noticed that cisco module works opposite to what you said. When I disable asa module I got nothing on a default Cisco dahsboard but when I disable ftd I don't see any data lose. Could you explain that kind of behavior?

9

The dashboard is using fields from the Cisco ASA module. Those are:

cisco.asa.field_name

They should be renamed to:

cisco.ftd.field_name

10

You mean I should do the change in dashboard configuration or that It should be change with next filebeat release?

11

Yes, can you change the existing dashboard to see if that works?

12

I have changed the filed as shown below and enabled "ftd" and disabled "asa" in ~/modules.d/cisco.yml.

image
image1851×779 47.7 KB

But i notice in the request there is

 "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "bool": {
            "should": [
              {
                "exists": {
                  "field": "cisco.asa.message_id"
                }
              }
            ],
            "minimum_should_match": 1
          }

image
image933×863 40.2 KB

I made the request manually with proper "field" name in query bool filter and there was a match.

sudo curl --cacert /etc/elasticsearch/certs/ca/ca.crt -u elastic 'https://ip:9200/_search?pretty' --request GET -H 'Content-Type: application/json' --data '{

head -n 40 elastic.file
    {
      "took" : 195,
      "timed_out" : false,
      "_shards" : {
        "total" : 24,
        "successful" : 20,
        "skipped" : 0,
        "failed" : 4,
        "failures" : [
          {
            "shard" : 0,
            "index" : ".async-search",
            "node" : "clISm-CjRtKnMgvBhh6_AQ",
            "reason" : {
              "type" : "query_shard_exception",
              "reason" : "No mapping found for [@timestamp] in order to sort on",
              "index_uuid" : "jv9H9TL6R1a1pp-gciP66Q",
              "index" : ".async-search"
            }
          },
          {
            "shard" : 0,
            "index" : ".kibana_1",
            "node" : "clISm-CjRtKnMgvBhh6_AQ",
            "reason" : {
              "type" : "query_shard_exception",
              "reason" : "No mapping found for [@timestamp] in order to sort on",
              "index_uuid" : "gzGEfeoyQGmNMuGSRR1Pew",
              "index" : ".kibana_1"
            }
          },
          {
            "shard" : 0,
            "index" : ".kibana_task_manager_1",
            "node" : "clISm-CjRtKnMgvBhh6_AQ",
            "reason" : {
              "type" : "query_shard_exception",
              "reason" : "No mapping found for [@timestamp] in order to sort on",
              "index_uuid" : "yuXVxi0OSxOe2ZNkdjCy1w",
              "index" : ".kibana_task_manager_1"
            }
          },
          {
            "shard" : 0,
            "index" : ".security-7",
            "node" : "clISm-CjRtKnMgvBhh6_AQ",
            "reason" : {
              "type" : "query_shard_exception",
              "reason" : "No mapping found for [@timestamp] in order to sort on",
              "index_uuid" : "APp3J8HeTjSgeSh1Toz0xQ",
              "index" : ".security-7"
            }
          }
        ]
      },
      "hits" : {
        "total" : {
          "value" : 10000,
          "relation" : "gte"
        },
        "max_score" : null,
        "hits" : [ ]
      },
      "aggregations" : {
        "2" : {
          "doc_count_error_upper_bound" : 0,
          "sum_other_doc_count" : 13855,
          "buckets" : [
            {
              "key" : "752015",
              "doc_count" : 3,
              "5" : {
                "doc_count_error_upper_bound" : 0,
                "sum_other_doc_count" : 0,
                "buckets" : [
                  {
                    "key" : "FW",
                    "doc_count" : 3,
                    "1" : {
                      "hits" : {
13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.