Cisco ASA VPN Monitoring Dashboard issue

[brian.diedrich]

NLS_parse_error.png

I used the search that Agent Smith added in the filter that you updated as it works better with my messages in the grok debugger. I updated the Global Filter in NLS, however I am still seeing the parse failure for missing Bytes Received field. I have attached a screenshot of the error as it shows up on the Dashboard.

[hsmith]

You'll likely need to wait until the next day, when the index rolls over for the fields to be remade. Let us know what happens with that.

[hsmith]

Also, are the messages properly getting parsed now?

[brian.diedrich]

asavpn3.png

asavpn1.png

defaultdashboard.png

In the default dashboard they do, but the ASA VPN Monitoring dashboard I downloaded in imported is still showing the parse failures for BytesReceived field missing, and no events are showing up:

[hsmith]

Let's do a remote to look at this.

Send in a ticket to [email protected] and I'll take ownership of it and send you a link to schedule a remote.

[nozlaf]

I may have also made changes to the dashboard when i updated my grok filter, when I get into the office ill update the copy on the exchange and post back here,

[nozlaf]

found a note here that does mention that the bytes received did change at some point after an upgrade, i cant post my dashboard right now as it has some proprietary data in it which i need to clean and I have meetings today but if you look at the json output for your entry make sure that bytesreceived is being mutated properly (think its in my grok filter near the end) if it is the quotes will not be around the value, I dont think the dashboard did change at my end just the input

Code: Select all

{
  "_index": "logstash-2016.06.09",
  "_type": "asa",
  "_id": "AVUy0UzV29BUL1F9axT6",
  "_score": null,
  "_source": {
    "message": "<164>%ASA-4-113019: Group = staff, Username = imavpnuser, IP = 1.142.97.125, Session disconnected. Session Type: SSL, Duration: 3h:34m:03s, Bytes xmt: 27622011, Bytes rcv: 15705680, Reason: User Requested\n",
    "@version": "1",
    "@timestamp": "2016-06-09T01:40:24.550Z",
    "type": "asa",
    "host": "9.9.9.9",
    "tags": [
      "_grokparsefailure_sysloginput"
    ],
    "priority": 0,
    "severity": 0,
    "facility": 0,
    "facility_label": "kernel",
    "severity_label": "Emergency",
    "syslog5424_pri": "164",
    "LogType": "ASA",
    "LogSeverity": "4",
    "LogMessageNumber": "113019",
    "Group": "staff",
    "username": "gregb",
    "IPAddress": "1.152.97.115",
    "SessionType": "SSL",
    "DurationHours": 3,
    "DurationMinutes": 34,
    "DurationSeconds": 3,
    "BytesTransmitted": 27622011,
    "BytesReceived": 15705680,
    "Reason": "User Requested\n",
    "geoip": {
      "ip": "1.142.97.125",
      "country_code2": "AU",
      "country_code3": "AUS",
      "country_name": "Australia",
      "continent_code": "OC",
      "latitude": -27,
      "longitude": 133,
      "location": [
        133,
        -27
      ]
    }
  },
  "sort": [
    1465436424550,
    1465436424550
  ]
}

[tmcdonald]

@nozlaf thanks for the updates!

@brian.diedrich I haven't seen a ticket come in. Please let us know when you do, or if you plan not to.

[brian.diedrich]

I found and fixed one error. The ASA logs were showing as type syslog instead of asa. I imagine that is due to the fact that they were both using 5544, and NLS won't accept more than one input per port? I asked our network engineer to change the port to 6514 as the original input has listed and changed it back. Logs are now showing up as type asa. I will have to check in the morning after the index rolls over to see if the ASA dashboard works correctly. Also to note, when saving global configuration changes in the GUI and it says stopping and starting, it doesn't seem to completely restart the services. I usually have to go to the server and manually restart the services as port 3515 has a tendency to stop accepting connections from the Windows servers afterward.

[hsmith]

That will certainly do it.

If you want to look into the logstash restart issue, you have my PM with instructions on how to send a ticket in.