Hi Everyone,
I've got an issue I'm hoping someone can help with. I have a Win2016 server as my log collection server, with Filebeat running Syslog input and it outputs directly to Elasticsearch. The problem I'm having is with Cisco ASA events not parsing. I have the following in my filebeat logs:
syslog/input.go:132 can't parse event as syslog rfc3164
I've researched this on the forums here, and found "Syslog input to support RFC5424 · Issue #6872 · elastic/beats · GitHub" but unfortunately that fix didn't seem to change anything. I'm starting to think it's a problem somewhere else in my configuration. Notably, I think I may have the syslog input part of Filebeat.yml incorrectly set up.
#=========================== Filebeat inputs ============================= filebeat.inputs: - type: log enabled: false paths: - c:\programdata\elasticsearch\logs\* - type: syslog enabled: true protocol.udp: host: "0.0.0.0:514" - type: syslog enabled: true protocol.tcp: host: "0.0.0.0:1514" - type: syslog enabled: true protocol.udp: host: "0.0.0.0:9000"
In Kibana, a Cisco ASA event comes in like this and does not fill in fields for "log.source.address" or "event.severity":
t message <148>Aug 30 2019 11:42:00: %ASA-4-106023: Deny udp src outside:62.210.151.21/57312 dst inside:172.16.16.10/5060 by access-group "OUTSIDE_ACL" [0x0, 0x0]
Should my syslog input be set to port 9000 only? Should I only have one? Is the ASA sending one of these other listening ports and bypassing the cisco module? I tried having our network engineer specify ports, such as port 9001 for the syslog destination, but then it seemed like I wasn't getting any events.
Thank you in advance for your time and assistance!