Parse error for cisco asa logs in filebeat module

alexb145 · July 18, 2019, 6:01pm

I'm trying to send and parse data using the filebeat cisco module. We're getting the data to filebeat via syslog on an UDP port/ The data gets to elasticsearch, but the message field isn't parsed into the cisco module data (no cisco.* fields are present). This is the error message in the document's error.message field, with IPs redacted:

Provided Grok expressions do not match field value: [Built inbound TCP connection 9999999999 for ZONE-NAME:10.99.120.19/48903 (10.99.120.19/48903) to ZONE-NAME2:10.99.140.18/4005 (10.99.140.18/4005)]

And here's a typical unformatted syslog entry:
<166>Jul 19 2019 02:59:35: %ASA-6-302020: Built outbound ICMP connection for faddr 10.99.140.18/0 gaddr 10.99.140.18/55627 laddr 10.99.146.22/55627

Any idea why this might be happening or what we're doing wrong?

adrisr · July 18, 2019, 8:02pm

There's a problem with the syslog format used, it's not rfc3164 compliant. We need to find an alternative to this as many Cisco devices are failing because of that.

The problem is with the date format used (syslog rfc3164 doesn't include a year). Is there a configuration setting in your device where you can select a different date format?

system · August 15, 2019, 8:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.