Sending syslog to FileBeat from Cisco Asa

jsandri · June 11, 2019, 9:42am

Hi everyone!
I am a new user of elk and beats and I am trying to send logs from a Cisco Asa to a virtual machine with filebeat 7.1.1 using UDP. Logs are received but I encountered the following error message:

2019-06-11T16:13:33.168+0700 ERROR [syslog] syslog/input.go:131 can't parse event as syslog rfc3164 {"message": "<166>%ASA-6-106100: access-list mpls_access_in denied icmp mpls/X.X.X.219(11) -> SG_Office/X.X.X.10(0) hit-cnt 8 300-second interval [0x7c6ff586, 0x1f024755]\n"}

Here is more explication about the log message.

filebeat.yml looks like this:

filebeat.inputs:
- type: syslog
  protocol.udp:
    host: ":9000"
  enabled: true
output.console:
  pretty: true

For the time being, I am just trying to have something stable on the filebeat side. If anyone can help me

adrisr · June 13, 2019, 9:30am

Hi.

This message doesn't look like proper Syslog. It's missing the timestamp and hostname.

It works when I manually add them:

<166>Jun 13 01:23:45 localhost %ASA-6-106100: access-list mpls_access_in denied icmp mpls/X.X.X.219(11) -> SG_Office/X.X.X.10(0) hit-cnt 8 300-second interval [0x7c6ff586, 0x1f024755]

You need to configure your Cisco ASA device to include the hostname and timestamp.

Here you can find instructions on how to add the timestamp:

Here explains how to add a hostname or "device ID":
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html#wp1065641

FYI, the next version of Filebeat, 7.2.0, will include a module to parse Cisco ASA logs.

jsandri · June 14, 2019, 6:58am

Thanks for your answer but unfortunately even after having added the timestamp and hostname I have the same error.

2019-06-14T13:44:39.829+0700 ERROR [syslog] syslog/input.go:131 can't parse event as syslog rfc3164 {"message": "<166>Jun 14 2019 14:44:39 SGP-FWA-01 : %ASA-6-106015: Deny TCP (no connection) from X.X.X.145/58050 to X.X.X.55/443 flags RST on interface SG_Office\n"}

However, I have checked on Kibana and it seems to miss nothing but I don't really like keeping an error in my files. By the way, do you know when the new version will be released?

jsandri · June 19, 2019, 2:52am

Any ideas?

system · July 17, 2019, 2:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat 7.3.2 Cisco Module Parsing issue for ASA Syslog rfc3164 Beats filebeat	3	1148	November 21, 2019
Filebeat syslog parse error Beats filebeat	10	5904	August 28, 2019
Syslog Input -> Cisco ASA not fully parsing Beats filebeat	1	592	September 27, 2019
Problems parsing Cisco ASA logs using filebeat Beats filebeat	9	3268	October 2, 2019
Sent Logs from Cisco ASA to ELK (OS Ubuntu 18.04) Beats filebeat	3	2155	June 26, 2019

Sending syslog to FileBeat from Cisco Asa

Related topics