[syslog-ng] Cisco ASA parsing with patterndb/elasticsearch

Tim Ghetti tghetti at targetedsupport.com
Mon Mar 5 17:33:31 UTC 2018 

Hi

I was able to resolve some of my issues. The first thing I did was stop all logging to ES and delete all my data. Once I started logging to ES again with a json template statement in the output rule I saw that the logs were in fact being parsed by patterndb. Also I noticed that using the “logging device-id” statement on the ASA sends over an empty PROGRAM field in syslog – so I removed that statement. Now I have patterndb working correctly and I just have to go through and fine tune my parser rules.

I am interested in why the cisco-parser() statement would not send any output. Below are some log samples. Let me know if there is anything helpful here. Thanks for everyone’s help!


Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-106015: Deny TCP (no connection) from XXX.XXX.192.57/1147 to XXX.XXX.105.15/445 flags RST ACK  on interface OUTSIDE
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-305011: Built dynamic TCP translation from OUTSIDE:XXX.XXX.192.57/2004(LOCAL\user) to OUTSIDE:69.147.160.165/2004
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302013: Built inbound TCP connection 787029 for OUTSIDE:XXX.XXX.192.57/2004 (XXX.XXX.160.165/2004)(LOCAL\user) to OUTSIDE:XXX.XXX.165.71/443 (XXX.XXX.165.71/443) (user)
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302016: Teardown UDP connection 786540 for OUTSIDE:XXX.XXX.4.101/123 to INSIDE:XXX.XXX.105.61/123 duration 0:02:02 bytes 48
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-305011: Built dynamic TCP translation from OUTSIDE:XXX.XXX.192.57/2004(LOCAL\user) to OUTSIDE: XXX.XXX.160.165/2004
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302014: Teardown TCP connection 787027 for OUTSIDE: XXX.XXX.44.11/443 to INSIDE:XXX.XXX.105.122/50330 duration 0:00:00 bytes 25227 TCP FINs from INSIDE
Feb 25 22:14:13.247139 XXX.XXX.31.1 %ASA-7-609001: Built local-host outside: XXX.XXX.224.196
Feb 25 22:14:13.247139 XXX.XXX.31.1 %ASA-6-302020: Built inbound ICMP connection for faddr XXX.XXX.224.196/54900 gaddr XXX.XXX.77.81/0 laddr XXX.XXX.77.81/0
Feb 25 22:14:13.247349 XXX.XXX.31.1 %ASA-6-302021: Teardown ICMP connection for faddr XXX.XXX.224.196/54900 gaddr XXX.XXX.77.81/0 laddr XXX.XXX.77.81/0
Feb 25 22:14:13.257785 XXX.XXX.159.2 %ASA-6-302014: Teardown TCP connection 369356 for OUTSIDE: XXX.XXX.167.21/443 to INSIDE:XXX.XXX.135.46/58914 duration 0:00:18 bytes 7264 TCP Reset-O from OUTSIDE
Feb 25 22:14:13.257885 XXX.XXX.159.2 %ASA-6-305012: Teardown dynamic TCP translation from INSIDE:XXX.XXX.135.46/58914 to OUTSIDE: XXX.XXX.45.90/58914 duration 0:00:18
Feb 25 22:14:13.261045 XXX.XXX.159.2 %ASA-6-305011: Built dynamic TCP translation from INSIDE:XXX.XXX.135.46/50748 to OUTSIDE: XXX.XXX.45.90/50748
Feb 25 22:14:13.261145 XXX.XXX.159.2 %ASA-6-302013: Built outbound TCP connection 369392 for OUTSIDE: XXX.XXX.167.21/443 (XXX.XXX.167.21/443) to INSIDE:XXX.XXX.135.46/50748 (XXX.XXX.45.90/50748)
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302014: Teardown TCP connection 633281 for OUTSIDE: XXX.XXX.44.11/443 to INSIDE:XXX.XXX.105.122/50330 duration 0:00:00 bytes 0 Failover primary closed
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-302014: Teardown TCP connection 726445 for OUTSIDE:XXX.XXX.192.57/1074(LOCAL\user) to INSIDE:XXX.XXX.101.104/443 duration 2:13:31 bytes 58884 TCP Reset-O from OUTSIDE (user)
Feb 26 03:14:13.000000 BHD-MDC-FW1 : %ASA-6-305011: Built dynamic TCP translation from OUTSIDE:XXX.XXX.192.57/2005(LOCAL\user) to OUTSIDE: XXX.XXX.160.165/2005

From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Scheidler, Balázs
Sent: Monday, March 5, 2018 7:55 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] Cisco ASA parsing with patterndb/elasticsearch

Hi,

Could you pls send a couple of messages? I would really like to make sure this works out of the box.

Thanks

On Mar 1, 2018 16:08, "Scheidler, Balázs" <balazs.scheidler at balabit.com<mailto:balazs.scheidler at balabit.com>> wrote:
Can you give me a few inbound logs as received by syslog-ng? I would try to fix up cisco parser that it works for your use-case, as it should.

Thanks

On Feb 28, 2018 21:48, "Tim Ghetti" <tghetti at targetedsupport.com<mailto:tghetti at targetedsupport.com>> wrote:
I tried using the cisco-parser and not having any luck with that either. When I enable the parser, I actually stop seeing outbound traffic to elasticsearch. My config is below


log {
        source { udp(flags(no-parse)); };
        parser { cisco-parser(); };
        destination {
                elasticsearch2(
        client-mode("http")
                cluster("ITESCL001")
                index("logstash-syslogng_${YEAR}.${MONTH}.${DAY}")
                cluster-url("http://192.168.101.199:9200 http://192.168.101.198:9200")
                type("syslog")
                flush-limit("1"));
        };

}


[root at ITLOG001 conf.d]# tcpdump -nnSXi ens192 port 9200 -vv
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180305/39e0c3e1/attachment-0001.html>

More information about the syslog-ng mailing list