Syslog Input -> Cisco ASA not fully parsing

Hi Everyone,

I've got an issue I'm hoping someone can help with. I have a Win2016 server as my log collection server, with Filebeat running Syslog input and it outputs directly to Elasticsearch. The problem I'm having is with Cisco ASA events not parsing. I have the following in my filebeat logs:

syslog/input.go:132 can't parse event as syslog rfc3164

I've researched this on the forums here, and found "Syslog input to support RFC5424 · Issue #6872 · elastic/beats · GitHub" but unfortunately that fix didn't seem to change anything. I'm starting to think it's a problem somewhere else in my configuration. Notably, I think I may have the syslog input part of Filebeat.yml incorrectly set up.

#=========================== Filebeat inputs =============================

filebeat.inputs:

- type: log
  enabled: false
  paths:
 - c:\programdata\elasticsearch\logs\*

- type: syslog
  enabled: true
  protocol.udp:
host: "0.0.0.0:514"

- type: syslog
  enabled: true
  protocol.tcp:
host: "0.0.0.0:1514"

- type: syslog
  enabled: true
  protocol.udp:
host: "0.0.0.0:9000"

In Kibana, a Cisco ASA event comes in like this and does not fill in fields for "log.source.address" or "event.severity":

t message <148>Aug 30 2019 11:42:00: %ASA-4-106023: Deny udp src outside:62.210.151.21/57312 dst inside:172.16.16.10/5060 by access-group "OUTSIDE_ACL" [0x0, 0x0]

Should my syslog input be set to port 9000 only? Should I only have one? Is the ASA sending one of these other listening ports and bypassing the cisco module? I tried having our network engineer specify ports, such as port 9001 for the syslog destination, but then it seemed like I wasn't getting any events.

Thank you in advance for your time and assistance!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.