Problem Description:
I have the following log that needs to be filtered and I found that some of the Cisco ASA filter to be really useful.
Jul 09 2017 23:34:50: %ASA-4-106023: Deny tcp src outside:1.2.3.4.5 ......
However, there is one issue, in all of the examples, ASA logs pattern is slightly different from mine. They all have a priority number at the beginning like this:
<123>Jul 09 2017 23:34:50: %ASA-4-106023: Deny tcp src outside:1.2.3.4.5 ......
Using the same filter pattern obviously caused trouble and the parse was incomplete, which resulted the timestamp to be incorrectly parsed. The <123> portion is filtered by syslog_pri { }, which is part of the {CISCO_TAGGED_SYSLOG}. This all built-in within the plugin, so I can't really change anything. Here is the grok library http://grokconstructor.appspot.com/groklib/firewalls
Below is my code that filters it, I thought I could get away by removing the "syslog_pri {}", but that didn't work.
grok {
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}
# Parse the syslog severity and facility
syslog_pri { }
# Parse the date from the "timestamp" field to the "@timestamp" field
date {
match => ["timestamp",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss"
]
timezone => "America/New_York"
}
so my question is: is there anyway that I can skip the part where the regex is look for <123> ? I'd imagine that I could somehow put a regex to negate <123> regex in front of the {CISCO_TAGGED_SYSLOG} portion ?
Thanks for any help !!