Pattern Cisco-ASA syslog message : Grokparsefailure

Elastic Stack Logstash
1

I used a cisco-asa pattern to filter my syslog message but i don't know why I keep getting tags:_grokparsefailure

Message:

Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client INTERNET:1.2.3.4/57767 to 5.6.7.8/443

Pattern:

Device chooses cipher %{GREEDYDATA:cipher} for the SSL session with %{DATA:peer-type} %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}

Grok Debugger Results:

image
image.png874×394 32.6 KB

Logstash Filter

input {
    file {
        path => "/logs/*"
    }
}
filter {
  fingerprint {
    method => "SHA256"
    key => "Log Aggregation"
    target => "[@metadata][fingerprint]"
  }
}
filter {
    json {
        source => "message"
    }
}
filter {
  grok {
    patterns_dir => "/usr/share/logstash/pipeline/patterns"
    match => [
      "message", "%{CISCOFW104001}",
      "message", "%{CISCOFW104002}",
      "message", "%{CISCOFW104003}",
      "message", "%{CISCOFW104004}",
      "message", "%{CISCOFW105003}",
      "message", "%{CISCOFW105004}",
      "message", "%{CISCOFW105005}",
      "message", "%{CISCOFW105008}",
      "message", "%{CISCOFW105009}",
      "message", "%{CISCOFW106001}",
      "message", "%{CISCOFW106006_106007_106010}",
      "message", "%{CISCOFW106015}",
      "message", "%{CISCOFW106021}",
      "message", "%{CISCOFW106023}",
      "message", "%{CISCOFW106100}",
      "message", "%{CISCOFW110002}",
      "message", "%{CISCOFW302010}",
      "message", "%{CISCOFW302013_302014_302015_302016}",
      "message", "%{CISCOFW302020_302021}",
      "message", "%{CISCOFW305011}",
      "message", "%{CISCOFW313001_313004_313008}",
      "message", "%{CISCOFW313005}",
      "message", "%{CISCOFW321001}",
      "message", "%{CISCOFW402117}",
      "message", "%{CISCOFW402119}",
      "message", "%{CISCOFW419001}",
      "message", "%{CISCOFW419002}",
      "message", "%{CISCOFW500004}",
      "message", "%{CISCOFW602303_602304}",
      "message", "%{CISCOFW710001_710002_710003_710005_710006}",
      "message", "%{CISCOFW713172}",
      "message", "%{CISCOFW733100}",
      "message", "%{CISCOFW106014}",
      "message", "%{CISCOFW725011}",
      "message", "%{CISCOFW722036}", 
      "message", "%{CISCOFW106017}",
      "message", "%{CISCOFW106020}",
      "message", "%{CISCOFW305006}",
      "message", "%{CISCOFW313008}",
      "message", "%{CISCOFW106012}",
      "message", "%{CISCOFW716003}",
      "message", "%{CISCOFW725001}",
      "message", "%{CISCOFW725002}",
      "message", "%{CISCOFW725003}",
      "message", "%{CISCOFW725007}",
      "message", "%{CISCOFW725008}",
      "message", "%{CISCOFW725010}",
      "message", "%{CISCOFW725012}",
      "message", "%{CISCOFW611101}"
#        "message", "%{}",
    ]
    add_field => ["parsed_by", "101-filter-asa.conf"]
  }
  syslog_pri { }
  #if !("_grokparsefailure" in [tags]) {
  #  mutate {
  #    replace => [ "@source_host", "%{syslog_hostname}" ]
  #    replace => [ "@message", "%{syslog_message}" ]
  #  }
  #}
  geoip {
    #add_tag => [ "geo_src" ]
    source => "src_ip"
  }
  geoip {
    #add_tag => [ "geop_dst" ]
    source => "dst_ip"
  }
}
output {
  elasticsearch {
    hosts => ["http://elasticsearch:9200/"]
    document_id => "%{[@metadata][fingerprint]}"
  }
}

Kibana search results

image
image.png874×414 50.8 KB

2

It could be me but you test grok pattern A but then in the logstash filter your using filter B. Those CISCOFW106* look like custom patterns, with the current setup it will try to match any of them and if one fails it adds the tag _grokparsefailure.

Try to add break_on_match and see of that will help.

3

I appreciate the feedback. So in my example its really the ASA-7-725012 that is getting the grok parse failure and that's the pattern I provided. I am not sure why its failing on matching. I looked at the break on match and it appears it defaults too true.

4

If you leave just your pattern and test it, does it still produce a _grokparsefailure?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.