IP Charts with Geolocation

[networkeng]

We are exporting our firewall syslogs to NLS. What would be the easiest way to graph attacker IPs by country into a pie chart? I do not mind installing additional software if necessary (although it would be awesome if this feature was integrated into NLS)...just wanting to know the path of least resistance to get this done.

[jolson]

Are you currently receiving proper GeoIP data? If so, please show me some of your fields - I am interested in knowing if you have a 'country' field available.

[networkeng]

Currently, we are just receiving the raw syslog entries from the ASA without any geolocation information. Here is an example of a recent entry:

<163>CISCO_ASA_FWASA01 %ASA-3-710003: TCP access denied by ACL from 61.240.144.65/60000 to OUTSIDE:xxx.xxx.xxx.xxx/443

[jolson]

The first thing that needs to happen here is you'll need to design a filter capable of parsing the GeoIP information out of your logs. To do so, I recommend reading some previous posts of mine that explain the input/filter process in detail:
http://support.nagios.com/forum/viewtop ... 37&t=32221
http://support.nagios.com/forum/viewtop ... 68#p134768
http://support.nagios.com/forum/viewtop ... 28#p137728

After you understand how to generate a custom filter for you ASA logs, pull out the client IP address and have a field for it - once you have an appropriate client IP field being populated by an IP Address we can start manipulating it with the GeoIP filter. Let me know when you've reached that point. Thanks!

[networkeng]

Thanks for your quick reply. I'll get started reading and working on the filter and let you know when I'm ready for the next step.

[jolson]

Great, let us know!

[networkeng]

I read through the threads, but having trouble already. I also did some reading on regex and grok but it isn't clicking...at least with how I would need to apply it to this case. I hope you can assist me with constructing a filter that can match the syslog messages below (this is just the message portion of the syslog entry).

I also do not know where to put this filter code once it is created, this location -> /usr/local/nagioslogserver/logstash/etc/conf.d/500_filters.conf?

Below are the two entry types I would need to match on. Important fields would be date/time, firewall name (CISCO_ASA_FWASA01), SRC IP, DST IP, DST Port.


<163>CISCO_ASA_FWASA01 %ASA-3-710003: TCP access denied by ACL from 70.21.251.159/1552 to OUTSIDE:19.19.19.19/23

<131>Jul 16 2015 19:33:54 CISCO_ASA_FW1ASA01 : %ASA-3-710003: TCP access denied by ACL from 87.217.43.23/34103 to OUTSIDE:19.19.19.19/23


If it makes any difference we have an active license for NLS...not sure if I should have created this thread in the Customer section.

[jolson]

I have moved your post to the customer forum - in the customer forum you are covered by our SLA.

The obvious problem here is that the Cisco ASA is sending us log data in different formats. I ran across the following post, which will likely work very well for us here: http://www.gregmefford.com/blog/2014/09 ... -logstash/

Code: Select all

udp {
port => 514
type => "cisco-asa"
}

Code: Select all

  if type == "cisco-asa" {
    # Split the syslog part and Cisco tag out of the message
    grok {
      match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
    }

    # Parse the syslog severity and facility
    syslog_pri { }

    # Parse the date from the "timestamp" field to the "@timestamp" field
    date {
      match => ["timestamp",
        "MMM dd HH:mm:ss",
        "MMM  d HH:mm:ss",
        "MMM dd yyyy HH:mm:ss",
        "MMM  d yyyy HH:mm:ss"
      ]
      timezone => "America/New_York"
    }

    # Clean up redundant fields if parsing was successful
    if "_grokparsefailure" not in [tags] {
      mutate {
        rename => ["cisco_message", "message"]
        remove_field => ["timestamp"]
      }
    }

    # Extract fields from the each of the detailed message types
    # The patterns provided below are included in Logstash since 1.2.0
    grok {
      match => [
        "message", "%{CISCOFW106001}",
        "message", "%{CISCOFW106006_106007_106010}",
        "message", "%{CISCOFW106014}",
        "message", "%{CISCOFW106015}",
        "message", "%{CISCOFW106021}",
        "message", "%{CISCOFW106023}",
        "message", "%{CISCOFW106100}",
        "message", "%{CISCOFW110002}",
        "message", "%{CISCOFW302010}",
        "message", "%{CISCOFW302013_302014_302015_302016}",
        "message", "%{CISCOFW302020_302021}",
        "message", "%{CISCOFW305011}",
        "message", "%{CISCOFW313001_313004_313008}",
        "message", "%{CISCOFW313005}",
        "message", "%{CISCOFW402117}",
        "message", "%{CISCOFW402119}",
        "message", "%{CISCOFW419001}",
        "message", "%{CISCOFW419002}",
        "message", "%{CISCOFW500004}",
        "message", "%{CISCOFW602303_602304}",
        "message", "%{CISCOFW710001_710002_710003_710005_710006}",
        "message", "%{CISCOFW713172}",
        "message", "%{CISCOFW733100}"
      ]
    }
  }

You will place the 'input' section in an 'input' block on your Global Configuration dashboard:

2015-07-16 16_32_22-Instance Configuration • Nagios Log Server - Firefox Developer Edition.png

Do the same for the filter block. After you are done, be sure to 'Apply Configuration' and you should be good to go!

Note:
You may need to allow UDP port 514 on your Nagios Log Server by following this document: https://assets.nagios.com/downloads/nag ... Server.pdf

Let me know if you have any questions or problems!

[networkeng]

Thanks jolson. I currently have all network equipment configured to send syslog data to TCP 5544. I am trying to set up the input for ASA logging on UDP 5555, however, I can't get Nagios Log Server to listen on that port. Tried running as root (tip from the PDF you linked to) but still won't listen on that port. I applied the configuration, did a 'service logstash restart', but still can't get it listening on UDP 5555.

After I get it listening on that port I can update the ASA's to start sending to that port.

[jolson]

Interesting. Let's take a look at the CLI configuration to ensure that it matches your GUI configuration:

Code: Select all

cat /usr/local/nagioslogserver/logstash/etc/conf.d/*

Does it match? If not, there's likely something wrong with the GUI configuration. Log into the Web GUI and navigate to 'Administration -> Global Configuration'. Once there, press 'Verify'. Does the verify come back clean?