Parse error for cisco asa logs in filebeat module

alexb145 · July 18, 2019, 6:01pm

I'm trying to send and parse data using the filebeat cisco module. We're getting the data to filebeat via syslog on an UDP port/ The data gets to elasticsearch, but the message field isn't parsed into the cisco module data (no cisco.* fields are present). This is the error message in the document's error.message field, with IPs redacted:

Provided Grok expressions do not match field value: [Built inbound TCP connection 9999999999 for ZONE-NAME:10.99.120.19/48903 (10.99.120.19/48903) to ZONE-NAME2:10.99.140.18/4005 (10.99.140.18/4005)]

And here's a typical unformatted syslog entry:
<166>Jul 19 2019 02:59:35: %ASA-6-302020: Built outbound ICMP connection for faddr 10.99.140.18/0 gaddr 10.99.140.18/55627 laddr 10.99.146.22/55627

Any idea why this might be happening or what we're doing wrong?

adrisr · July 18, 2019, 8:02pm

There's a problem with the syslog format used, it's not rfc3164 compliant. We need to find an alternative to this as many Cisco devices are failing because of that.

The problem is with the date format used (syslog rfc3164 doesn't include a year). Is there a configuration setting in your device where you can select a different date format?

system · August 15, 2019, 8:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Syslog Input -> Cisco ASA not fully parsing Beats filebeat	1	592	September 27, 2019
Filebeat syslog parse error Beats filebeat	10	5904	August 28, 2019
Filebeat 7.3.2 Cisco Module Parsing issue for ASA Syslog rfc3164 Beats filebeat	3	1148	November 21, 2019
Filebeat cisco module not parsing ASA logs Beats filebeat	1	378	November 6, 2019
Filebeat Cisco ASA Module failing to parse Beats filebeat	12	585	December 29, 2020

Parse error for cisco asa logs in filebeat module

Related topics