Hi – having some trouble getting paterndb functional and looking for some help. I would like to use patterndb to parse my cisco ass firewall logs before sending it to elasticsearch. However when the messages get to elasticsearch, I don’t
see the messages being parsed. Running pdbtool against the logs seems to work.
# pdbtool match -p /etc/syslog-ng/patterndb.d/ciscoasa.pdb -P %ASA -f /var/log/asatest.log |more
HOST=X.X.X.X
MESSAGE=Built dynamic TCP translation from INSIDE:X.X.X.X/X to OUTSIDE:X.X.X.X/X
PROGRAM=%ASA-6-305011
LEGACY_MSGHDR=%ASA-6-305011:
.classifier.class=system
.classifier.rule_id=e075efdc-c25f-5e49-a208-7661e3b5a29b
Protocol=TCP
GlobalIP=X.X.X.X
GlobalPort=X
LocalIP=X.X.X.X
LocalPort=X
TAGS=.classifier.system
**********************
SYSLOG-NG CONF FILE
@version: 3.11
source s_network { tcp(); udp(); };
destination d_elastic {
elasticsearch2(
client-mode("http")
cluster("ITESCL001")
index("logstash-syslogng_${YEAR}.${MONTH}.${DAY}")
cluster-url("http://X.X.X.X:9200")
type("syslog")
flush-limit("1")
);
};
destination d_catchall { file("/var/log/catchall.log"); };
filter f_ciscoasa { host("X.X.X.X"); };
parser p_ciscoasa {db-parser(file("/etc/syslog-ng/patterndb.d/ciscoasa.pdb"));};
log { source(s_network); filter(f_ciscoasa); parser(p_ciscoasa); destination(d_elastic); flags(final, flow-control); };
log { source(s_network); destination(d_catchall); };
**********************
PATTERNDB FILE
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2018-02-19'>
<ruleset name='%ASA' id='a300d776-8bd7-834d-a4a9-23eb81a4b3ba'>
<pattern>%ASA</pattern>
<description>
This ruleset covers the Cisco ASA firewalls
</description>
<rules>
<rule provider="%ASA" id="b3de7699-8213-c744-944e-9413298afe86" class="system">
<!-- support: 1594 -->
<patterns>
<pattern>Teardown @ESTRING:Protocol: @connection for faddr @IPv4:SrcIP:/@@ESTRING:SrcPort: @gaddr @IPv4:GlobalIP:/@@ESTRING:GlobalPort: @laddr @IPv4:LocalIP:/@@ESTRING:LocalPort:@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Teardown ICMP connection for faddr X.X.X.X/X gaddr X.X.X.X/X laddr X.X.X.X/X</test_message>
</example>
</examples>
</rule>
<rule id='90d0f8c9-7591-d44e-b886-2f7e5cb17ce6' class='system' provider='%ASA'>
<!-- support: 1369 -->
<patterns>
<pattern>Teardown dynamic @ESTRING:Protocol: @translation from @ESTRING:::@@IPv4:LocalIP:/@@ESTRING:LocalPort: @to @ESTRING:::@@IPv4:GlobalIP:/@@ESTRING:GlobalPort: @duration@ANYSTRING::@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Teardown dynamic UDP translation from any:X.X.X.X/X to outside:X.X.X.X/X duration 0:00:00</test_message>
</example>
</examples>
</rule>
<rule id='8f0a8d57-80c6-4745-8a8a-5ce018bb0d87' class='system' provider='%ASA'>
<!-- support: 1254 -->
<patterns>
<pattern>Teardown @ESTRING:Protocol: @connection @ESTRING:: @for @ESTRING:::@@IPv4:DstIP:/@@ESTRING:DstPort: @to @ESTRING:::@@IPv4:SrcIP:/@@ESTRING:SrcPort: @@ESTRING::@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Teardown UDP connection 55101037 for outside:X.X.X.X/X to inside:X.X.X.X/X duration 0:00:00 bytes 132</test_message>
</example>
</examples>
</rule>
<rule id='00c0732d-1e34-7340-a75f-21198bf71137' class='system' provider='%ASA'>
<!-- support: 1256 -->
<patterns>
<pattern>Built outbound @ESTRING:Protocol: @connection @ESTRING:: @for @ESTRING:::@@IPv4:DstIP:/@@ESTRING:DstPort: @(@ESTRING::)@ to @ESTRING:::@@IPv4:SrcIP:/@@ESTRING:SrcPort: @(@ESTRING::)@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Built outbound UDP connection 55101037 for outside:X.X.X.X/X (X.X.X.X/X) to inside:X.X.X.X/X (X.X.X.X/X)</test_message>
</example>
</examples>
</rule>
<rule id='4a586711-ebe2-dc4d-bf6e-e512666d8c5d' class='system' provider='%ASA'>
<!-- support: 1594 -->
<patterns>
<pattern>Built inbound @ESTRING:Protocol: @connection for faddr @IPv4:SrcIP:/@@ESTRING:SrcPort: @gaddr @IPv4:GlobalIP:/@@ESTRING:GlobalPort: @laddr @IPv4:LocalIP:/@@ESTRING:LocalPort:@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Built inbound ICMP connection for faddr X.X.X.X/X gaddr X.X.X.X/X laddr X.X.X.X/X</test_message>
</example>
</examples>
</rule>
<rule id='8be7928d-66e7-7042-abd5-869d6b49c56e' class='system' provider='%ASA'>
<!-- support: 1763 -->
<patterns>
<pattern>Built inbound @ESTRING:Protocol: @connection @ESTRING:: @for @ESTRING::@@IPv4:SrcIP:/@@ESTRING:SrcPort: @(@ESTRING::)@ to identity:@IPv4:DstIP:/@@ESTRING:DstPort: @(@ESTRING::)@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Built inbound UDP connection 55101078 for inside:X.X.X.X/X (X.X.X.X/X) to identity:X.X.X.X/X (X.X.X.X/X)</test_message>
</example>
</examples>
</rule>
<rule id='20aee256-b4f0-8b4d-93cb-263d5338fd21' class='system' provider='%ASA'>
<!-- support: 1539 -->
<patterns>
<pattern>Teardown @ESTRING:Protocol: @connection @ESTRING:: @for @ESTRING:::@@IPv4:SrcIP:/@@ESTRING:SrcPort: @to identity:@IPv4:DstIP:/@@ESTRING:DstPort: @duration@ANYSTRING::@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Teardown UDP connection 55101084 for inside:X.X.X.X/X to identity:X.X.X.X/X duration 0:02:01 bytes 88</test_message>
</example>
</examples>
</rule>
<rule id='e075efdc-c25f-5e49-a208-7661e3b5a29b' class='system' provider='%ASA'>
<!-- support: 3648 -->
<patterns>
<pattern>Built dynamic @ESTRING:Protocol: @translation from @ESTRING:::@@IPv4:LocalIP:/@@ESTRING:LocalPort: @to @ESTRING:::@@IPv4:GlobalIP:/@@ESTRING:GlobalPort:@</pattern>
</patterns>
<examples>
<example>
<test_message program='%ASA'>Built dynamic TCP translation from any:X.X.X.X/X to outside:X.X.X.X/X</test_message>
</example>
</examples>
</rule>
<rule provider='%ASA' class='system' id='39'>
<patterns>
<pattern>Cleared @ESTRING:: @urgent flag from @ESTRING:::@@ESTRING::/@@NUMBER::@ to @ESTRING: ::@@ESTRING::/@@NUMBER::@</pattern>
<pattern>regular translation creation failed for @ESTRING:: @src @ESTRING:::@@ESTRING:: @dst @ESTRING: ::@@ESTRING:: @(type @NUMBER::@, code @NUMBER::@</pattern>
</patterns>
</rule>
</rules>
</ruleset>
</patterndb>