Send Cisco ASA Logs to ElasticSearch

Elastic Stack Elasticsearch
1

Hi, I am new to Elastic and need some help as i could not find an answer even after extensive googling.
I have installed Elasticsearch 7.5, kibana 7.5, Filebeat and Logstash.
All of these things works fine when i forward linux system logs using filebeat system modules and i can see linux logs in elasticsearch.

Now i need to send firewall logs to elasticsearch but it doesn't work. I have removed logstash from filebeat output and left elasticsearch only but it still doesn't work. I need to forward all the logs from ASA firewalls to elasticsearch.

I did tcpdump to see if packets are coming to machine and i can see firewall is sending bunch of data to systemon port 9000

Here are few of the outputs..

[root@elk-ap01.dev modules.d] 0 # filebeat modules list
Enabled:
cisco
system

Disabled:
apache

[root@elk-ap01.dev modules.d] 2 # cat ../filebeat.yml | grep -v "#"
filebeat.inputs:

  • type: log
    enabled: true
    paths:

    • /var/log/*.log

  • type: syslog
    enabled: true
    protocol.udp:
    host: "0.0.0.0:9000"

filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "elkdev.domain.com:5601"
output.elasticsearch:
hosts: ["elkdev.domain.com:9200"]
processors:

  • add_host_metadata: ~
  • add_cloud_metadata: ~
  • add_docker_metadata: ~
  • add_kubernetes_metadata: ~
    [root@elk-ap01.dev modules.d] 0 #

What am i missing and how can i see firewall logs in kibana ?

2

I think per default the data is stored in filebeat index, have you created a index pattern for it?

4

I created it using filebeat setup -e command and it can see the logs from Linux systems and but not from ASA firewall

5

when i am trying to open asa firewall filebeat dashboard, i see sharing error in below right corner

{
"took": 6,
"timed_out": false,
"_shards": {
"total": 18,
"successful": 17,
"skipped": 0,
"failed": 1,
"failures": [
{
"shard": 0,
"index": "filebeat-7.5.0-2019.12.19-000001",
"node": "3Y6Kg80STPy2AFxUegq2Jw",
"reason": {
"type": "query_shard_exception",
"reason": "No mapping found for [@timestamp] in order to sort on",
"index_uuid": "3eGch-MZRba053s48IpC1g",
"index": "filebeat-7.5.0-2019.12.19-000001"
}
}
]
},
"hits": {
"total": 0,
"max_score": null,
"hits":
},
"aggregations": {
"2": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets":
}
}
}

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.