Parsing Cisco ASA Log

Omar_Alshair · May 6, 2019, 8:01am

I'm trying to parse Cisco logs to only show message 106023 and 106100 which are the permitted traffic and the denied traffic. I've been having an issue with my configuration, can someone take a look at it I'm not sure what i am doing wrong.

input {
        udp {
                port => 5514
                type => "cisco-fw"
        }
}

filter {
        if [type] == "cisco-fw" {
                if "%ASA-106023" in [message] {
                        grok {
                                match => [
                                        "message", "%{CISCOFW106023}"
                                ]
                        }
                } else if "%ASA-106100" in [message] {
                        grok {
                                match => [
                                        "message", "%{CISCOFW106100}"
                                ]
                        }
                } else {
                        drop {}
                }
        }
}


output {
        elasticsearch {
                hosts => ["localhost:9200"]
                index => "syslog-%{+YYYY.MM}"
        }
        stdout { codec => rubydebug }
}

system · June 3, 2019, 8:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.