Cisco ASA Dashboard

[shifty]

Hi gsmith,

The creator of the dashboard just added this sentence:

"Use this dashboard to see at a glance how VPN sessions are being closed on your ASA devices. It shows the bytes sent and received over the VPN sessions and works with IPSEC and ANYConnect VPN sessions"

I think the diagrams just show how many bytes the client received and sent in its session before it ended.
I imported your filter and dashboard and it looks like this:

asa.PNG

Also i tried to change the "chart values" nothing except "count" woked. So min, mean, max and total not working.

[gsmith]

Hi

Try this filter:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

And the attached dashboard.

[shifty]

Hi gsmith,

i tried your filter with you dashboard:

asa6.PNG

This is my current configuration:

Input:

Code: Select all

 tcp {
    port => 6514
    type => 'asa'
  }

Filter:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

[gsmith]

Hi Shifty,

1. Does the Bytes Transmitted graph look reasonable?
2. On the server please run:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.24/_mapping/field/bytesrcv'

this will tell us what the bytesrcv field's datatype is, should be:
{"logstash-2021.05.24":{"mappings":{"syslog":{"bytesrcv":{"full_name":"bytesrcv","mapping":{"bytesrcv":{"type":"long"}}}}}}

Thanks

[shifty]

Hey gsmith,

Mh the "Bytes Tansmitted" Chart is like the "Events over Time" Chart. I don't know, the original chart uses the "bytes received" field, our chart no longer. The new filter does not seem to find the fields "bytesrcv" and "bytesxmt".

asa10.PNG

asa11.PNG

The output from the command:

Code: Select all

{"logstash-2021.05.24":{"mappings":{}}}

The output of the command also looks as if "bytesrcv" does not exist at all. Everything is pretty complicated

[gsmith]

Hi,

Yes I changed the field names so I could differentiate from the original ones. I did make a mistake on the bytes transmitted chart,
here is how they both should be set up:

shifty1.jpg

shifty2.jpg

The reason the output of:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.24/_mapping/field/bytesrcv'

was empty is because you need to pick an index that actually has data. So change logstash-2021.05.24
to a day where you had some data, and run:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.XX/_mapping/field/bytesrcv'
curl -GET 'http://localhost:9200/logstash-2021.05.XX/_mapping/field/bytesxmt'
   change XX to a day with data

Thanks

[shifty]

Hi gsmith,

I have adjusted the graphs as you described

Code: Select all

 curl -GET 'http://localhost:9200/logstash-2021.05.19/_mapping/field/bytesxmt'
{"logstash-2021.05.19":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.21/_mapping/field/bytesrcv'
{"logstash-2021.05.21":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.22/_mapping/field/bytesrcv'
{"logstash-2021.05.22":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.23/_mapping/field/bytesxmt'
{"logstash-2021.05.23":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.26/_mapping/field/bytesrcv'
{"logstash-2021.05.26":{"mappings":{}}}

Every query does not return anything. But it should, since VPN users work every day

[gsmith]

Hey,

So the filter isn't being applied. Go ahead and change it from:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

to:

Code: Select all

if [type] == 'asa' {
grok{
    blah blah blah
}

Only the first line needs to be changed.

Thanks

[shifty]

Hey gsmith,

thanks! That did the trick I think the thread can be closed

Many thanks !

[gsmith]

Fantastic!

Glad it's working.

Have a good one.