Unable to load ASA logs in SIEM

Hi everyone.

Last week i set up a filebeat (7.8.1) to ingest syslog from an Cisco ASA.
Everything works fine and the data is visible in kibana. Now when i go to the SIEM page and try to setup SIEM with the Cisco module there is a button that says "Check Data" when i click it i get the message, "No data has been received from this module yet".

Is have tried different filebeat versions but i get the same message.

Here is my filebeat.yml:

    filebeat.config.modules:
      path: ${path.config}/modules.d/*.yml
      reload.enabled: true
    reload.period: 10s

    # Configuratie van de output
    output.elasticsearch:
      username: xxx
      password: xxx
      protocol: https
      hosts: ["xxx:9200", "xxx:9200", "xxx:9200"]
      loadbalance: true
      bulk_max_size: 256
      worker: 3
      index: "asa-vpn-anyconnect"

Here is my cisco.yml (filebeat module in etc/filebeat/modules.d/)

    - module: cisco
      asa:
        enabled: true
      
        # Set which input to use between syslog (default) or file.
        #var.input: syslog
      
        # The interface to listen to UDP based syslog traffic. Defaults to
        # localhost. Set to 0.0.0.0 to bind to all available interfaces.
        var.syslog_host: 1.1.1.1
      
        # The UDP port to listen for syslog traffic. Defaults to 9001.
        #var.syslog_port: 9001
      
        # Set the log level from 1 (alerts only) to 7 (include all messages).
        # Messages with a log level higher than the specified will be dropped.
        # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
        #var.log_level: 7

Could it be an issue that i use different index names instead of the default filebeat-*?

Ok i found the issue!
When you use non-default index names you have to define them in the Kibana Settings. Go to Management -> Advanced Settings -> SIEM -> Elasticsearch indices.

Just leaving this here, maybe more people make the same mistake.

1 Like