Cisco ASA 55xx - syslogs

[matt.niarhakos]

Has anyone been able to successfully point Cisco ASA syslogs to Log Server and have them parsed corrrectly and visible in the dashboard? I've seen a lot of 'examples' of inputs and grok filters with no success. We purchase Nagios XI (and I added Log Server in there) so when I need to consolidate from other disparate syslog servers (Kiwi, Solwarinds, etc.) I could easily centralize. I didn't realize it would be such a pain to just repoint a cisco network device there and have the log info show up. i'm primarily, at the least, looking to have my Cisco ASA devices logging here and ultimately would like to include the rest of the routing, switching, AP's and controller too. Anyone in a similar position? I've been thru multiple posts with multiple claims that this will work, and it doesn't. maybe i'm just doing something wrong.

https://www.linkedin.com/pulse/cisco-sy ... 9260695552

http://blogs.cisco.com/security/step-by ... -analytics

http://www.gregmefford.com/blog/2014/09 ... -logstash/

[hsmith]

What port is your ASA trying to send logs to?

[matt.niarhakos]

Port 5544. If i tcpdump from the Nagios Log Server i can see messages from the ASA but nothing is rendering in the dashboard. I'm assuming this has to do with configuring the appropriate inputs and filters but have been unable to make that work.

[hsmith]

Can you show me the output of this command?

Code: Select all

tail -n50 /var/log/logstash/logstash.log

[matt.niarhakos]

Attached. below is a snippet:

{:timestamp=>"2016-06-30T10:54:25.873000-0700", :message=>"syslog listener died", :protocol=>:udp, :address=>"0.0.0.0:5544", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-0.1.6/lib/logstash/inputs/syslog.rb:135:in `udp_listener'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-0.1.6/lib/logstash/inputs/syslog.rb:117:in `server'", "/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-0.1.6/lib/logstash/inputs/syslog.rb:97:in `run'"], :level=>:warn}

[rkennedy]

The error indicates something is listening on 5544 already.

Code: Select all

{:timestamp=>"2016-06-30T10:54:36.072000-0700", :message=>"syslog listener died", :protocol=>:tcp, :address=>"0.0.0.0:5544", :exception=>#<Errno::EADDRINUSE: Address already in use - bind - Address already in use>

What is the output of lsof -i :5544?

[matt.niarhakos]

[root@phxlnxmgtp004 ~]# lsof -i :5544
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 5740 nagios 37u IPv6 8139410 0t0 UDP *:5544
java 5740 nagios 38u IPv6 8139411 0t0 TCP *:5544 (LISTEN)

[hsmith]

Can I see a screenshot of your Global Configuration page under Administration. With the inputs expanded.

[matt.niarhakos]

Attached

[hsmith]

Can you try to make the following change?

Go to Administration > Global > Global Configuration and expand the syslog input.

Replace what is there with this:

Code: Select all

tcp {
    port => 5544
    type => syslog
  }
  udp {
    port => 5544
    type => syslog
  }
  

This will stop Logstash from dropping logs with a syslog format that it doesn't like, which is the default behavior.

Your syslogs will no longer be broken down in to nice fields, because we're not using the syslog input anymore, but we can have that process done with this grok filter:

Code: Select all

  if [type] == "syslog" {
    grok {
      match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }

Give this a shot.