Pattern Cisco-ASA syslog message : Grokparsefailure ASA410001 ASA313005

OncleThorgal · July 11, 2016, 2:23pm

Hi everyone !

I used a cisco-asa pattern to filter my syslog message but i don't know why, i've tags:_grokparsefailure.

My patterns are :

#== Cisco ASA ==
CISCO_TAGGED_SYSLOG <%{POSINT:syslog_pri}>:%%{CISCOTAG:ciscotag}:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-([a-z]+)?-%{INT}-(?:[A-Z0-9_]+)
# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound
CISCO_INTERVAL first hit|%{INT}-second interval
CISCO_XLATE_TYPE static|dynamic

CISCOFW313005 %{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:(?:%{IP:err_src_ip}|%{HOSTNAME:err_src_hostname})(\(%{DATA:err_src_fwuser}\))? dst %{DATA:err_dst_interface}:(?:%{IP:err_dst_ip}|%{HOSTNAME:err_dst_hostname})(\(%{DATA:err_dst_fwuser}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src (?:%{IP:orig_src_ip}|%{HOSTNAME:orig_src_hostname})/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst (?:%{IP:orig_src_ip}|%{HOSTNAME:orig_dst_hostname})/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))?

CISCOFW410001 %{WORD:action} %{WORD:protocol} DNS reply from %{GREEDYDATA:src_interface}:(?:%{IP:src_ip}|%{HOSTNAME:src_hostname})/%{INT:src_port} to %{GREEDYDATA:dst_interface}:(?:%{IP:dst_ip}|%{HOSTNAME:dst_hostname})/%{INT:dst_port}; packet length %{NUMBER:bytes} bytes exceeds configured limit of 512 bytes

And my grok filter is :

filter {
        grok {
            match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
        }
        if "313005" in [ciscotag] {
             grok {
                 match => ["message", "%{CISCOFW313005}"]
             }
        }
        if "410001" in [ciscotag] {
              grok {
                  match => ["message", "%{CISCOFW410001}"]
              }
        }
}

And, when i used for example http://grokdebug.herokuapp.com/ everything is OK, ans foir my other pattern it works fine, but not for those one...

Can you help me ?

Thank you very much,

Best regards,

Maxime

magnusbaeck · July 13, 2016, 5:24am

If you want help debugging this you need to post the message that isn't parsed correctly.

OncleThorgal · July 13, 2016, 6:41am

Hi Magnusblack,

So this is like

<164>:%ASA--4-410001: Dropped UDP DNS reply from Interface1:9.9.9.9/99 to Interface2:123.45.6.78/12345; packet length 876 bytes exceeds configured limit of 512 bytes 
<164>:%ASA--4-410001: Dropped UDP DNS reply from Interface3:host-name2/99 to Interface4:host-name3/98765; packet length 4602 bytes exceeds configured limit of 512 bytes

And

<164>:%ASA-ip-4-313005: No matching connection for ICMP error message: icmp src Interface1:12.34.567.89 dst Inter-face1:host-name1 (type 3, code 3) on Interface2 interface. Original IP payload: udp host-name2/99 dst 12.3.4.567/99999.

Thank you

magnusbaeck · July 13, 2016, 7:14am

In your first grok filter you're extracting the remainder of the message to cisco_message but subsequent grok filters look at message. That's not the root of the problem but it should be corrected.

Looking at the 313005 message it says

Original IP payload: udp host-name2/99 dst

but the corresponding part of your grok expression looks like this:

Original IP payload: %{WORD:protocol} src

To debug problems like this, simplify the grok expression and make it work, then increase the complexity. For example, I started with CISCOFW313005 containing

%{CISCO_REASON:reason} for %{WORD:protocol} error message:

and added more and more of the original expression until _grokparsefailure came back.