Sending syslog to FileBeat from Cisco Asa

jsandri · June 11, 2019, 9:42am

Hi everyone!
I am a new user of elk and beats and I am trying to send logs from a Cisco Asa to a virtual machine with filebeat 7.1.1 using UDP. Logs are received but I encountered the following error message:

2019-06-11T16:13:33.168+0700 ERROR [syslog] syslog/input.go:131 can't parse event as syslog rfc3164 {"message": "<166>%ASA-6-106100: access-list mpls_access_in denied icmp mpls/X.X.X.219(11) -> SG_Office/X.X.X.10(0) hit-cnt 8 300-second interval [0x7c6ff586, 0x1f024755]\n"}

Here is more explication about the log message.

filebeat.yml looks like this:

filebeat.inputs:
- type: syslog
  protocol.udp:
    host: ":9000"
  enabled: true
output.console:
  pretty: true

For the time being, I am just trying to have something stable on the filebeat side. If anyone can help me

adrisr · June 13, 2019, 9:30am

Hi.

This message doesn't look like proper Syslog. It's missing the timestamp and hostname.

It works when I manually add them:

<166>Jun 13 01:23:45 localhost %ASA-6-106100: access-list mpls_access_in denied icmp mpls/X.X.X.219(11) -> SG_Office/X.X.X.10(0) hit-cnt 8 300-second interval [0x7c6ff586, 0x1f024755]

You need to configure your Cisco ASA device to include the hostname and timestamp.

Here you can find instructions on how to add the timestamp:

Here explains how to add a hostname or "device ID":
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html#wp1065641

FYI, the next version of Filebeat, 7.2.0, will include a module to parse Cisco ASA logs.

jsandri · June 14, 2019, 6:58am

Thanks for your answer but unfortunately even after having added the timestamp and hostname I have the same error.

2019-06-14T13:44:39.829+0700 ERROR [syslog] syslog/input.go:131 can't parse event as syslog rfc3164 {"message": "<166>Jun 14 2019 14:44:39 SGP-FWA-01 : %ASA-6-106015: Deny TCP (no connection) from X.X.X.145/58050 to X.X.X.55/443 flags RST on interface SG_Office\n"}

However, I have checked on Kibana and it seems to miss nothing but I don't really like keeping an error in my files. By the way, do you know when the new version will be released?

jsandri · June 19, 2019, 2:52am

Any ideas?

system · July 17, 2019, 2:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't parse event as syslog rfc3164 Beats filebeat	5	335	March 4, 2024
Filebeat, Cisco ASA and ECS fields Beats filebeat	6	1493	August 13, 2020
Send syslog to Filebeat server Beats filebeat	28	2137	November 1, 2023
Cisco iOS integration - No data has been received from this module yet Beats filebeat	2	203	April 4, 2024
Beats (filebeat/metricbeat etc.) log to syslog with "logging.to_syslog: false" Beats	6	5844	May 29, 2019

Sending syslog to FileBeat from Cisco Asa

Related Topics