Cisco ASA Dashboard

[gsmith]

Hi,

We need to find out what data type the dashboard is requiring, is there any info provided by the author of the dashboard that
can help?

Also, just for fun try:

Bytes xmt: %{NUMBER:BytesTransmitted:float}, Bytes rcv: %{NUMBER:BytesReceived:float}

Let me know please....

Thanks

[shifty]

Hi gsmith,

Bytes xmt:% {NUMBER: BytesTransmitted: float}, Bytes rcv:% {NUMBER: BytesReceived: float} unfortunately does not work either.

Unfortunately, there is no further information from the creator of the dashboard. The only thing in the filter is "Bytes xmt:% {INT: BytesTransmitted: int}, Bytes rcv:% {INT: BytesReceived: int}" but unfortunately that doesn't work.

I once looked in the log and the following error occurs when loading the dashboard. Does that help us?

Code: Select all

[2021-05-14 21:11:34,198][DEBUG][action.search.type       ] [7b9ceae4-cc7e-462d-89d2-256de277dc28] [logstash-2021.05.14][1], node[54UU5cUOQXiRW551KQb4ew], [P], s[STARTED]: Failed to execute [org.elasticsearc7ed32f84] lastShard [true]
org.elasticsearch.search.SearchParseException: [logstash-2021.05.14][1]: from[-1],size[-1]: Parse Failure [Failed to parse source [{"facets":{"0":{"date_histogram":{"key_field":"@timestamp","value_field":"By,"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Port Error\") OR Reason:(\"NAS Error\") OR Reason:(\"NAS Request\") OR Reason:(\"NAS Reboot\") OR Rea OR Reason:(\"Port Suspended\") OR Reason:(\"Service Unavailable\") OR Reason:(\"SA Expired\") OR Reason:(\"Bandwidth Management Error\") OR Reason:(\"Certificate Expired\") OR Reason:(\"Phase 2 Mismatch\") \") OR Reason:(\"ACL Parse Error\") OR Reason:(\"Phase 2 Error\") OR Reason:(\"Internal Error\") OR Reason:(\"Crypto map policy not found\") OR Reason:(\"L2TP initiated\")  OR Reason:(\"NAC-Policy Error\") Oicy terminate\")  OR Reason:(\"Client type not supported\")  OR Reason:(\"Unknown\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191206,"to":1621019491206}}},{"fquery":{"query":{"querya\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"1":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","infacet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"User Requested\") OR  Reason:(\"Host Requested\") OR Reason:(\"VLAN Mapping Error\")"}},"filter":{"bool":{"must":[{"r21019191206,"to":1621019491206}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}:{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Administrator Reset\") OR R") OR Reason:(\"Administrator Shutdown\") OR Reason:(\"User error\") OR Reason:(\"IKE Delete\") OR Reason:(\"Peer Address Changed\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191206,":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"3":{"date_histogram":{"key_fieldBytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Peer Reconnected\") OR Reason:(\"Callback\")"}},"filter":{"bool":{"mufrom":1621019191207,"to":1621019491207}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cachestogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Lost Carrier\") OR filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191207,"to":1621019491207}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":113019\")"}},"_cache":true}}]}}}}}}},"5":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"que"Idle Timeout\") OR Reason:(\"Max time exceeded\") OR Reason:(\"Port unneeded\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191208,"to":1621019491208}}},{"fquery":{"query":{"query_str"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}}},"size":0}]]
        at org.elasticsearch.search.SearchService.parseSource(SearchService.java:747)
        at org.elasticsearch.search.SearchService.createContext(SearchService.java:572)
        at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:544)
        at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:306)
        at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:231)
        at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:228)
        at org.elasticsearch.search.action.SearchServiceTransportAction$23.run(SearchServiceTransportAction.java:559)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException

[gsmith]

hey shifty,

Can you please send me a log with the data messages we are trying to parse please. I only need
a few rows.

Thanks

[shifty]

Hi gsmith,

i hope this helps

[cdienger]

@shifty, it looks like I ran out of time to properly lab this but will do so first thing tomorrow. In the meantime, try editing both panels and instead of using BytesReceived and BytesTransmitted, see if BytesReceived.raw and BytesTransmitted.raw exist as options in the value field and try them if they are available.

[shifty]

Hello cdienger,

no problem, don't stress yourself

unfortunately there is no field named BytesReceived.raw and BytesTransmitted.raw.

Code: Select all

{
  "_index": "logstash-2021.05.19",
  "_type": "asa",
  "_id": "AXmDEWGv7rqESgLwgtKT",
  "_score": null,
  "_source": {
    "message": "<172>%ASA-4-113019: Group = VPN-Clients, Username = testuser, IP = 11.11.1111.111, Session disconnected. Session Type: SSL, Duration: 0h:32m:46s, Bytes xmt: 84720044, Bytes rcv: 6687952, Reason: User Requested",
    "@version": "1",
    "@timestamp": "2021-05-19T05:20:24.392Z",
    "host": "222.222.222.2",
    "port": 20085,
    "type": "asa",
    "syslog_pri": "172",
    "LogType": "ASA",
    "LogSeverity": "4",
    "LogMessageNumber": "113019",
    "Group": "VPN-Clients",
    "username": "testuser",
    "IPAddress": "11.11.111.111",
    "SessionType": "SSL",
    "DurationHours": "0",
    "DurationMinutes": "32",
    "DurationSeconds": "46",
    "BytesTransmitted": "84720044",
    "BytesReceived": "6687952",
    "Reason": "User Requested",
    "geoip": {
      "continent_code": "EU",
      "country_code2": "DE",
      "country_code3": "DE",
      "country_name": "Germany",
      "ip": "11.11.111.111",
      "latitude": 51.2993,
      "longitude": 9.491,
      "location": [
        9.431,
        51.2293
      ]
    }
  },
  "sort": [
    1621401624392,
    1621401624392
  ]
}

[cdienger]

I labbed it up and the byte fields where being stored as a string. This can be seen when running:

Code: Select all

curl -XGET 'http://localhost:9200/logstash-2021.05.19/'

Do you see the same thing on your end? It would look something like:

Code: Select all

...
 "BytesTransmitted" : {
            "type" : "string",
            "norms" : {
              "enabled" : false
            },
            "fielddata" : {
              "format" : "disabled"
            },
            "fields" : {
              "raw" : {
                "type" : "string",
                "index" : "not_analyzed",
                "ignore_above" : 256
              }
            }
          }
...

To save it as an int/log, set the logstash configuration to use:

Code: Select all

Bytes xmt: %{NUMBER:BytesTransmitted:int} Bytes rcv: %{NUMBER:BytesReceived:int}

See: https://www.elastic.co/blog/little-logs ... -type-data

[shifty]

Thank you for the reply. Yes, i see the same result as you. I changed the filter to:

Code: Select all

if [type] == 'asa' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s, Bytes xmt: %{NUMBER:BytesTransmitted:int}, Bytes rcv: %{NUMBER:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

and i get this error:

error.PNG

and this error:

error2.PNG

[ssax]

Try doing a mutate on it and see if that helps.

Code: Select all

if [type] == 'asa' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s, Bytes xmt: %{NUMBER:BytesTransmitted:int}, Bytes rcv: %{NUMBER:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}']
}
mutate {
    convert => ["BytesTransmitted","integer"]
}
mutate {
    convert => ["BytesReceived","integer"]
} 
geoip {
  source => "IPAddress"
}
}

[gsmith]

Hey Shifty,

Not to step on Sean's (ssax) toes but take a look at the dashboard I have attached. (Remember to
rename it from xxxx.txt to xxxx.json)
One thing that was throwing me was the test data you provided...some lines filtered and some lines didn't.
Turns out the ${IP} grok doesn't like 33.33.333.33 or 4.4.4.444..... or anything above 256

I also made some other tweaks. I am getting the bytes received and bytes transmitted correctly.
I think the issue is those two panels aren't configured correctly. I am not sure what they want to
show - is it cumulative? (i doubt that) Is it something like number of bytes received over the last 10
minutes, with a data point every minute?

The filter I used:

Code: Select all

if [type] == 'asa' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:DurationHours}h:%{MINUTE:DurationMinutes}m:%{SECOND:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted.raw}, Bytes rcv: %{INT:BytesReceived.raw}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

Thanks