We are parsing ASA logs in Elastic search in following format . Around 1000 logs per minutes are ingested into elasticsearch . My requirement is to able to take each message and show them real time in Kibana table to users so they can search the values from table . We want table to represent each message in the following format
timestamp , src_ip , dst_ip ,src_port, dst_port,action , ciscotag, reason , cisco message ,hashcode1 ,hashcode2
I have tried to create the table using Term aggregation , however I have seen an issue when ,hashcode1 ,hashcode2 missing from the message ( which is normal ) I dont see any values in the table .
I was wondering if there is any way where I match the _id of each document and populate all the required values int the table and if any value missing from the document , it should just ignore .
@timestamp June 1st 2017, 18:48:58.258t
@version 1
_id AVxkxlQcZZ8zmTPO84Aq
_index logstash_asalogs-2017.06.01
_score -
_type cisco-fw
action permitted
cisco_message access-list external_access_in permitted udp external/10.135.1.12(62525) -> inside/10.138.7.14(53) hit-cnt 1 first hit [0xde8dd1d7, 0xbb4301cd]
ciscotag ASA-6-106100
dst_interface inside
dst_ip 10.138.7.14
dst_port 53
hashcode1 0xde8dd1d7
** hashcode2 0xbb4301cd**
hit_count 1
host 10.138.252.14
interval first hit
message <182>Jun 01 2017 18:48:58: %ASA-6-106100: access-list external_access_in permitted udp external/10.135.1.12(62525) -> inside/10.138.7.14(53) hit-cnt 1 first hit [0xde8dd1d7, 0xbb4301cd]
policy_id external_access_in
protocol udp
src_interface external
src_ip 10.135.1.12
src_port 62525
syslog_facility local6
syslog_facility_code 22
syslog_pri 182
syslog_severity informational
syslog_severity_code 6
tags pre-processed, Firewall, ASA, _geoip_lookup_failure
timestamp Jun 01 2017 18:48:58
type cisco-fw
Below the table setting in Kibana
