I am planning to use cisco module in filebeat to ship syslog messages from cisco ASA Firewall to Elasticsearch through Logstash.
So far, I installed Filebeat on a windows 7 machine and enabled cisco module. I enabled security in elasticsearch.
Filebeat not receiving any syslog message.
Can somebody tell me what do next?
OK! I managed to get the logs shipped to elasticsearch through logstash. But the logs are not showing the Firewall details except the message. SIEM app not detecting any success or failed login events. What do i do? what fields i need to parse?
I believe this issue happening because filebeat failed to parse syslog message from the firewall.
syslog/input.go:132 can't parse event as syslog rfc3164 {"message": "<166>hostname-FW %ASA-6-113012: AAA user authentication Successful : local database : user = user1\n"}
Can anyone help?
Hi @mancharagopan,
Logs parsing for iptables module is done in Elasticsearch ingest nodes, if you are using logstash you may need some extra setup so Elasticsearch knows what pipeline to apply. You can find more information about this here: https://www.elastic.co/guide/en/logstash/7.2/filebeat-modules.html
Why do you need Logstash in this scenario? You can also consider sending the logs directly from Filebeat to Elasticsearch so the setup is easier.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.