Re: [syslog-ng] Cisco ASA parsing with patterndb/elasticsearch

Hi I was able to resolve some of my issues. The first thing I did was stop all logging to ES and delete all my data. Once I started logging to ES again with a json template statement in the output rule I saw that the logs were in fact being parsed by patterndb. Also I noticed that using the “logging device-id” statement on the ASA sends over an empty PROGRAM field in syslog – so I removed that statement. Now I have patterndb working correctly and I just have to go through and fine tune my parser rules. I am interested in why the cisco-parser() statement would not send any output. Below are some log samples. Let me know if there is anything helpful here. Thanks for everyone’s help! Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-106015: Deny TCP (no connection) from XXX.XXX.192.57/1147 to XXX.XXX.105.15/445 flags RST ACK on interface OUTSIDE Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-305011: Built dynamic TCP translation from OUTSIDE:XXX.XXX.192.57/2004(LOCAL\user) to OUTSIDE:69.147.160.165/2004 Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302013: Built inbound TCP connection 787029 for OUTSIDE:XXX.XXX.192.57/2004 (XXX.XXX.160.165/2004)(LOCAL\user) to OUTSIDE:XXX.XXX.165.71/443 (XXX.XXX.165.71/443) (user) Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302016: Teardown UDP connection 786540 for OUTSIDE:XXX.XXX.4.101/123 to INSIDE:XXX.XXX.105.61/123 duration 0:02:02 bytes 48 Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-305011: Built dynamic TCP translation from OUTSIDE:XXX.XXX.192.57/2004(LOCAL\user) to OUTSIDE: XXX.XXX.160.165/2004 Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302014: Teardown TCP connection 787027 for OUTSIDE: XXX.XXX.44.11/443 to INSIDE:XXX.XXX.105.122/50330 duration 0:00:00 bytes 25227 TCP FINs from INSIDE Feb 25 22:14:13.247139 XXX.XXX.31.1 %ASA-7-609001: Built local-host outside: XXX.XXX.224.196 Feb 25 22:14:13.247139 XXX.XXX.31.1 %ASA-6-302020: Built inbound ICMP connection for faddr XXX.XXX.224.196/54900 gaddr XXX.XXX.77.81/0 laddr XXX.XXX.77.81/0 Feb 25 22:14:13.247349 XXX.XXX.31.1 %ASA-6-302021: Teardown ICMP connection for faddr XXX.XXX.224.196/54900 gaddr XXX.XXX.77.81/0 laddr XXX.XXX.77.81/0 Feb 25 22:14:13.257785 XXX.XXX.159.2 %ASA-6-302014: Teardown TCP connection 369356 for OUTSIDE: XXX.XXX.167.21/443 to INSIDE:XXX.XXX.135.46/58914 duration 0:00:18 bytes 7264 TCP Reset-O from OUTSIDE Feb 25 22:14:13.257885 XXX.XXX.159.2 %ASA-6-305012: Teardown dynamic TCP translation from INSIDE:XXX.XXX.135.46/58914 to OUTSIDE: XXX.XXX.45.90/58914 duration 0:00:18 Feb 25 22:14:13.261045 XXX.XXX.159.2 %ASA-6-305011: Built dynamic TCP translation from INSIDE:XXX.XXX.135.46/50748 to OUTSIDE: XXX.XXX.45.90/50748 Feb 25 22:14:13.261145 XXX.XXX.159.2 %ASA-6-302013: Built outbound TCP connection 369392 for OUTSIDE: XXX.XXX.167.21/443 (XXX.XXX.167.21/443) to INSIDE:XXX.XXX.135.46/50748 (XXX.XXX.45.90/50748) Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302014: Teardown TCP connection 633281 for OUTSIDE: XXX.XXX.44.11/443 to INSIDE:XXX.XXX.105.122/50330 duration 0:00:00 bytes 0 Failover primary closed Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302014: Teardown TCP connection 726445 for OUTSIDE:XXX.XXX.192.57/1074(LOCAL\user) to INSIDE:XXX.XXX.101.104/443 duration 2:13:31 bytes 58884 TCP Reset-O from OUTSIDE (user) Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-305011: Built dynamic TCP translation from OUTSIDE:XXX.XXX.192.57/2005(LOCAL\user) to OUTSIDE: XXX.XXX.160.165/2005 From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Scheidler, Balázs Sent: Monday, March 5, 2018 7:55 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] Cisco ASA parsing with patterndb/elasticsearch Hi, Could you pls send a couple of messages? I would really like to make sure this works out of the box. Thanks On Mar 1, 2018 16:08, "Scheidler, Balázs" <balazs.scheidler@balabit.com<mailto:balazs.scheidler@balabit.com>> wrote: Can you give me a few inbound logs as received by syslog-ng? I would try to fix up cisco parser that it works for your use-case, as it should. Thanks On Feb 28, 2018 21:48, "Tim Ghetti" <tghetti@targetedsupport.com<mailto:tghetti@targetedsupport.com>> wrote: I tried using the cisco-parser and not having any luck with that either. When I enable the parser, I actually stop seeing outbound traffic to elasticsearch. My config is below log { source { udp(flags(no-parse)); }; parser { cisco-parser(); }; destination { elasticsearch2( client-mode("http") cluster("ITESCL001") index("logstash-syslogng_${YEAR}.${MONTH}.${DAY}") cluster-url("http://192.168.101.199:9200 http://192.168.101.198:9200") type("syslog") flush-limit("1")); }; } [root@ITLOG001 conf.d]# tcpdump -nnSXi ens192 port 9200 -vv tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel