I'm not sure why but all syslogs received from my Cisco ASA comes in as a "Severity" 0 and "Severity_Label" Emergency. I checked the firewall and the messages are of different severity's (like 4 or 6) but Nagios LS is not categorizing correctly. This creats problems with filtering and alerting because I can't filter them out.
Help me Obi-Wan Kenobi. You're my only hope.
All ASA syslogs are received with Severity 0
-
malcolmleek
- Posts: 6
- Joined: Thu Jun 01, 2017 2:58 pm
Re: All ASA syslogs are received with Severity 0
It sounds like something isn't parsing correctly. Can you share a sample of the firewall logs?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
malcolmleek
- Posts: 6
- Joined: Thu Jun 01, 2017 2:58 pm
Re: All ASA syslogs are received with Severity 0
Yes, I can. I'm not sure what you would like to see though.
-
malcolmleek
- Posts: 6
- Joined: Thu Jun 01, 2017 2:58 pm
Re: All ASA syslogs are received with Severity 0
Sure. Whic logs would you like to see?
Re: All ASA syslogs are received with Severity 0
I'd like to see the raw log messages that are getting sent over and try parsing them on a lab machine to see why they are not parsing. You can just expand the events seen in the NLS dashboard and copy the message field.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
malcolmleek
- Posts: 6
- Joined: Thu Jun 01, 2017 2:58 pm
Re: All ASA syslogs are received with Severity 0
10.100.11.17 syslog <164>%ASA-4-106023: Deny udp src LAN-DMZ:172.20.#.#/64603 dst identity:229.111.#.#/3071 by access-group "LAN-DMZ_access_in" [0xe0362917, 0x0]
0 Emergency _grokparsefailure_sysloginput 2017-09-12T15:03:11.618-05:00
View: Table / JSON / Raw
Field Action Value Search
@timestamp 2017-09-12T20:03:11.618Z
@version 1
_id AV53sDrXjrA6ezG6p3_j
_index logstash-2017.09.12
_type syslog
facility 0
facility_label kernel
host 10.100.#.#
message <164>%ASA-4-106023: Deny udp src LAN-DMZ:172.20.#.#/64603 dst identity:229.111.#.#/3071 by access-group "LAN-DMZ_access_in" [0xe0362917, 0x0]
priority 0
severity 0
severity_label Emergency
tags _grokparsefailure_sysloginput
type syslog
0 Emergency _grokparsefailure_sysloginput 2017-09-12T15:03:11.618-05:00
View: Table / JSON / Raw
Field Action Value Search
@timestamp 2017-09-12T20:03:11.618Z
@version 1
_id AV53sDrXjrA6ezG6p3_j
_index logstash-2017.09.12
_type syslog
facility 0
facility_label kernel
host 10.100.#.#
message <164>%ASA-4-106023: Deny udp src LAN-DMZ:172.20.#.#/64603 dst identity:229.111.#.#/3071 by access-group "LAN-DMZ_access_in" [0xe0362917, 0x0]
priority 0
severity 0
severity_label Emergency
tags _grokparsefailure_sysloginput
type syslog
Re: All ASA syslogs are received with Severity 0
Just chiming in to say I've seen this behavior before with ASAs. They don't seem to follow RFC 3164 to the letter. You might try this solution:
https://support.nagios.com/forum/viewto ... 20#p118275
https://support.nagios.com/forum/viewto ... 20#p118275
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
malcolmleek
- Posts: 6
- Joined: Thu Jun 01, 2017 2:58 pm
Re: All ASA syslogs are received with Severity 0
I didn't see any solutions in that article.
Re: All ASA syslogs are received with Severity 0
The posted solution was in regards to configuring the terminal to turn off sequence-numbers, or creating different inputs and filters in Log Server. It's the second link posted by @mcapra.
Former Nagios employee
-
malcolmleek
- Posts: 6
- Joined: Thu Jun 01, 2017 2:58 pm
Re: All ASA syslogs are received with Severity 0
I not sure I follow you. I clicked on the link posted by @mcapra that took me to a message board titled "All Log Entries on same facility/priority/severity". I read all 5 pages and they never found a solution. If there is one, could you please copy and paste it here?