Parsing Cisco ASA Log

Omar_Alshair · May 6, 2019, 8:01am

I'm trying to parse Cisco logs to only show message 106023 and 106100 which are the permitted traffic and the denied traffic. I've been having an issue with my configuration, can someone take a look at it I'm not sure what i am doing wrong.

input {
        udp {
                port => 5514
                type => "cisco-fw"
        }
}

filter {
        if [type] == "cisco-fw" {
                if "%ASA-106023" in [message] {
                        grok {
                                match => [
                                        "message", "%{CISCOFW106023}"
                                ]
                        }
                } else if "%ASA-106100" in [message] {
                        grok {
                                match => [
                                        "message", "%{CISCOFW106100}"
                                ]
                        }
                } else {
                        drop {}
                }
        }
}


output {
        elasticsearch {
                hosts => ["localhost:9200"]
                index => "syslog-%{+YYYY.MM}"
        }
        stdout { codec => rubydebug }
}

system · June 3, 2019, 8:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ASA Grok Failure ASA-4-113019 Logstash	2	480	June 8, 2020
ASA Single Grok Filter Not Working Logstash	4	338	October 29, 2021
Logstash Cisco ASA logs "grokparsefailure" in logs tag Logstash	1	350	February 24, 2022
Cisco ASA parse failure Logstash	3	369	April 19, 2020
CISCO Grok Fail Logstash	3	961	June 6, 2020

Parsing Cisco ASA Log

Related Topics