we have configured a cisco asa firewall to send it's syslog messages to a nagios log server on port 5544.
When I do a tcpdump on the logserver I can see the syslog messages hitting the log servers interface:
15:41:08.682838 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.683169 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.683366 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.683382 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.debug, length: 116
15:41:08.684438 IP 10.28.102.1.syslog > 10.28.102.74.5544: SYSLOG local4.info, length: 187
but a search for syslog messages on the log server console produces no results from the cisco device.
Other devices (Centos mail server) are sending logs to the server and they do appear in the console.
Is there some other configuration required to display these log entries?
Cisco Syslog messages not appearing in the console
-
rpaulmorris
- Posts: 6
- Joined: Fri Aug 14, 2015 1:10 pm
Re: Cisco Syslog messages not appearing in the console
It's possible that your Cisco ASA logs don't match the default 'syslog' input that's assigned to port 5544. Try sending to logs to our default 'raw' input at UDP port 2056 instead.
If sending the logs to the raw UDP input works properly, you may desire to set up a new input specifically geared toward your Cisco ASA. Let me know once you've reached that point. Thanks!
If sending the logs to the raw UDP input works properly, you may desire to set up a new input specifically geared toward your Cisco ASA. Let me know once you've reached that point. Thanks!
-
rpaulmorris
- Posts: 6
- Joined: Fri Aug 14, 2015 1:10 pm
Re: Cisco Syslog messages not appearing in the console
Ok the ASA was changed to send it's syslog messages to udp port 2056
18:26:32.370183 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:26:32.418504 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 180
18:26:32.418533 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.info, length: 183
18:26:32.418826 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.info, length: 174
18:26:32.435806 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
but a search for source 10.28.102.1 results in 0 hits in the dashboard.
18:26:32.370183 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:26:32.418504 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 180
18:26:32.418533 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.info, length: 183
18:26:32.418826 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.info, length: 174
18:26:32.435806 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
but a search for source 10.28.102.1 results in 0 hits in the dashboard.
-
rpaulmorris
- Posts: 6
- Joined: Fri Aug 14, 2015 1:10 pm
Re: Cisco Syslog messages not appearing in the console
the cisco was reconfigured to send it's syslog messages to udp port 2056
18:34:53.309964 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:34:53.311889 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:34:53.318786 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
but there are still no entries in the dashboard when searching for the source ip 10.28.102.1
18:34:53.309964 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:34:53.311889 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
18:34:53.318786 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
but there are still no entries in the dashboard when searching for the source ip 10.28.102.1
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Cisco Syslog messages not appearing in the console
When coming into the raw input it's not likely to have the host part filtered out. You can either create that filter and make sure it's assigned to events coming into the raw input, or you can simply look through the events for messages that are from the ASA. The latter method will require that you identify some distinct data manually. The former simply requires that you write a grok filter and match it to the events coming in on the filter.
Perhaps also worth using tcpdump to verify that the data is actually streaming to the server.
Perhaps also worth using tcpdump to verify that the data is actually streaming to the server.
-
rpaulmorris
- Posts: 6
- Joined: Fri Aug 14, 2015 1:10 pm
Re: Cisco Syslog messages not appearing in the console
tcpdump shows this:
15:36:49.697963 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.698836 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699400 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699418 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699433 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699940 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699972 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.700528 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.710435 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.719185 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
modified my input file:
tcp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
udp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
still no entries in the dashboard
15:36:49.697963 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.698836 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699400 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699418 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699433 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699940 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.699972 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.700528 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.710435 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
15:36:49.719185 IP 10.28.102.1.syslog > 10.28.102.74.omnisky: SYSLOG local4.debug, length: 116
modified my input file:
tcp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
udp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
still no entries in the dashboard
Re: Cisco Syslog messages not appearing in the console
On Nagios Log Server, were you certain to open up both TCP _and_ UDP port 2056? You can check the current firewall status like so:
Code: Select all
iptables -L -n