Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Cisco ASA VPN Monitoring Dashboard issue

https://support.nagios.com/forum/viewtopic.php?t=38719

Page 2 of 3

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Tue Jun 07, 2016 12:47 pm
by brian.diedrich
NLS_parse_error.png
I used the search that Agent Smith added in the filter that you updated as it works better with my messages in the grok debugger. I updated the Global Filter in NLS, however I am still seeing the parse failure for missing Bytes Received field. I have attached a screenshot of the error as it shows up on the Dashboard.

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Tue Jun 07, 2016 1:20 pm
by hsmith
You'll likely need to wait until the next day, when the index rolls over for the fields to be remade. Let us know what happens with that.

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Tue Jun 07, 2016 1:20 pm
by hsmith
Also, are the messages properly getting parsed now?

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Wed Jun 08, 2016 4:54 pm
by brian.diedrich
asavpn3.png
asavpn1.png
defaultdashboard.png
In the default dashboard they do, but the ASA VPN Monitoring dashboard I downloaded in imported is still showing the parse failures for BytesReceived field missing, and no events are showing up:

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Wed Jun 08, 2016 4:56 pm
by hsmith
Let's do a remote to look at this.

Send in a ticket to [email protected] and I'll take ownership of it and send you a link to schedule a remote.

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Wed Jun 08, 2016 5:41 pm
by nozlaf
I may have also made changes to the dashboard when i updated my grok filter, when I get into the office ill update the copy on the exchange and post back here,

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Wed Jun 08, 2016 9:11 pm
by nozlaf
found a note here that does mention that the bytes received did change at some point after an upgrade, i cant post my dashboard right now as it has some proprietary data in it which i need to clean and I have meetings today but if you look at the json output for your entry make sure that bytesreceived is being mutated properly (think its in my grok filter near the end) if it is the quotes will not be around the value, I dont think the dashboard did change at my end just the input

Code: Select all

{
  "_index": "logstash-2016.06.09",
  "_type": "asa",
  "_id": "AVUy0UzV29BUL1F9axT6",
  "_score": null,
  "_source": {
    "message": "<164>%ASA-4-113019: Group = staff, Username = imavpnuser, IP = 1.142.97.125, Session disconnected. Session Type: SSL, Duration: 3h:34m:03s, Bytes xmt: 27622011, Bytes rcv: 15705680, Reason: User Requested\n",
    "@version": "1",
    "@timestamp": "2016-06-09T01:40:24.550Z",
    "type": "asa",
    "host": "9.9.9.9",
    "tags": [
      "_grokparsefailure_sysloginput"
    ],
    "priority": 0,
    "severity": 0,
    "facility": 0,
    "facility_label": "kernel",
    "severity_label": "Emergency",
    "syslog5424_pri": "164",
    "LogType": "ASA",
    "LogSeverity": "4",
    "LogMessageNumber": "113019",
    "Group": "staff",
    "username": "gregb",
    "IPAddress": "1.152.97.115",
    "SessionType": "SSL",
    "DurationHours": 3,
    "DurationMinutes": 34,
    "DurationSeconds": 3,
    "BytesTransmitted": 27622011,
    "BytesReceived": 15705680,
    "Reason": "User Requested\n",
    "geoip": {
      "ip": "1.142.97.125",
      "country_code2": "AU",
      "country_code3": "AUS",
      "country_name": "Australia",
      "continent_code": "OC",
      "latitude": -27,
      "longitude": 133,
      "location": [
        133,
        -27
      ]
    }
  },
  "sort": [
    1465436424550,
    1465436424550
  ]
}

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Thu Jun 09, 2016 11:37 am
by tmcdonald
@nozlaf thanks for the updates!

@brian.diedrich I haven't seen a ticket come in. Please let us know when you do, or if you plan not to.

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Thu Jun 09, 2016 4:42 pm
by brian.diedrich
I found and fixed one error. The ASA logs were showing as type syslog instead of asa. I imagine that is due to the fact that they were both using 5544, and NLS won't accept more than one input per port? I asked our network engineer to change the port to 6514 as the original input has listed and changed it back. Logs are now showing up as type asa. I will have to check in the morning after the index rolls over to see if the ASA dashboard works correctly. Also to note, when saving global configuration changes in the GUI and it says stopping and starting, it doesn't seem to completely restart the services. I usually have to go to the server and manually restart the services as port 3515 has a tendency to stop accepting connections from the Windows servers afterward.

Re: Cisco ASA VPN Monitoring Dashboard issue

Posted: Thu Jun 09, 2016 4:50 pm
by hsmith
That will certainly do it.

If you want to look into the logstash restart issue, you have my PM with instructions on how to send a ticket in.
All times are UTC-05:00
Page 2 of 3

Powered by phpBB® Forum Software © phpBB Limited