Page 2 of 3
Re: Cisco ASA Dashboard
Posted: Fri May 14, 2021 9:33 am
by gsmith
Hi,
We need to find out what data type the dashboard is requiring, is there any info provided by the author of the dashboard that
can help?
Also, just for fun try:
Bytes xmt: %{NUMBER:BytesTransmitted:float}, Bytes rcv: %{NUMBER:BytesReceived:float}
Let me know please....
Thanks
Re: Cisco ASA Dashboard
Posted: Fri May 14, 2021 2:18 pm
by shifty
Hi gsmith,
Bytes xmt:% {NUMBER: BytesTransmitted: float}, Bytes rcv:% {NUMBER: BytesReceived: float} unfortunately does not work either.
Unfortunately, there is no further information from the creator of the dashboard. The only thing in the filter is "Bytes xmt:% {INT: BytesTransmitted: int}, Bytes rcv:% {INT: BytesReceived: int}" but unfortunately that doesn't work.
I once looked in the log and the following error occurs when loading the dashboard. Does that help us?
Code: Select all
[2021-05-14 21:11:34,198][DEBUG][action.search.type ] [7b9ceae4-cc7e-462d-89d2-256de277dc28] [logstash-2021.05.14][1], node[54UU5cUOQXiRW551KQb4ew], [P], s[STARTED]: Failed to execute [org.elasticsearc7ed32f84] lastShard [true]
org.elasticsearch.search.SearchParseException: [logstash-2021.05.14][1]: from[-1],size[-1]: Parse Failure [Failed to parse source [{"facets":{"0":{"date_histogram":{"key_field":"@timestamp","value_field":"By,"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Port Error\") OR Reason:(\"NAS Error\") OR Reason:(\"NAS Request\") OR Reason:(\"NAS Reboot\") OR Rea OR Reason:(\"Port Suspended\") OR Reason:(\"Service Unavailable\") OR Reason:(\"SA Expired\") OR Reason:(\"Bandwidth Management Error\") OR Reason:(\"Certificate Expired\") OR Reason:(\"Phase 2 Mismatch\") \") OR Reason:(\"ACL Parse Error\") OR Reason:(\"Phase 2 Error\") OR Reason:(\"Internal Error\") OR Reason:(\"Crypto map policy not found\") OR Reason:(\"L2TP initiated\") OR Reason:(\"NAC-Policy Error\") Oicy terminate\") OR Reason:(\"Client type not supported\") OR Reason:(\"Unknown\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191206,"to":1621019491206}}},{"fquery":{"query":{"querya\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"1":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","infacet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"User Requested\") OR Reason:(\"Host Requested\") OR Reason:(\"VLAN Mapping Error\")"}},"filter":{"bool":{"must":[{"r21019191206,"to":1621019491206}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}:{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Administrator Reset\") OR R") OR Reason:(\"Administrator Shutdown\") OR Reason:(\"User error\") OR Reason:(\"IKE Delete\") OR Reason:(\"Peer Address Changed\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191206,":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"3":{"date_histogram":{"key_fieldBytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Peer Reconnected\") OR Reason:(\"Callback\")"}},"filter":{"bool":{"mufrom":1621019191207,"to":1621019491207}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cachestogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Lost Carrier\") OR filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191207,"to":1621019491207}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":113019\")"}},"_cache":true}}]}}}}}}},"5":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"que"Idle Timeout\") OR Reason:(\"Max time exceeded\") OR Reason:(\"Port unneeded\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1621019191208,"to":1621019491208}}},{"fquery":{"query":{"query_str"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}}},"size":0}]]
at org.elasticsearch.search.SearchService.parseSource(SearchService.java:747)
at org.elasticsearch.search.SearchService.createContext(SearchService.java:572)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:544)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:306)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:231)
at org.elasticsearch.search.action.SearchServiceTransportAction$5.call(SearchServiceTransportAction.java:228)
at org.elasticsearch.search.action.SearchServiceTransportAction$23.run(SearchServiceTransportAction.java:559)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException
Re: Cisco ASA Dashboard
Posted: Mon May 17, 2021 10:40 am
by gsmith
hey shifty,
Can you please send me a log with the data messages we are trying to parse please. I only need
a few rows.
Thanks
Re: Cisco ASA Dashboard
Posted: Tue May 18, 2021 12:32 am
by shifty
Hi gsmith,
i hope this helps
Re: Cisco ASA Dashboard
Posted: Tue May 18, 2021 4:58 pm
by cdienger
@shifty, it looks like I ran out of time to properly lab this but will do so first thing tomorrow. In the meantime, try editing both panels and instead of using BytesReceived and BytesTransmitted, see if BytesReceived.raw and BytesTransmitted.raw exist as options in the value field and try them if they are available.
Re: Cisco ASA Dashboard
Posted: Wed May 19, 2021 12:33 am
by shifty
Hello cdienger,
no problem, don't stress yourself
unfortunately there is no field named BytesReceived.raw and BytesTransmitted.raw.
Code: Select all
{
"_index": "logstash-2021.05.19",
"_type": "asa",
"_id": "AXmDEWGv7rqESgLwgtKT",
"_score": null,
"_source": {
"message": "<172>%ASA-4-113019: Group = VPN-Clients, Username = testuser, IP = 11.11.1111.111, Session disconnected. Session Type: SSL, Duration: 0h:32m:46s, Bytes xmt: 84720044, Bytes rcv: 6687952, Reason: User Requested",
"@version": "1",
"@timestamp": "2021-05-19T05:20:24.392Z",
"host": "222.222.222.2",
"port": 20085,
"type": "asa",
"syslog_pri": "172",
"LogType": "ASA",
"LogSeverity": "4",
"LogMessageNumber": "113019",
"Group": "VPN-Clients",
"username": "testuser",
"IPAddress": "11.11.111.111",
"SessionType": "SSL",
"DurationHours": "0",
"DurationMinutes": "32",
"DurationSeconds": "46",
"BytesTransmitted": "84720044",
"BytesReceived": "6687952",
"Reason": "User Requested",
"geoip": {
"continent_code": "EU",
"country_code2": "DE",
"country_code3": "DE",
"country_name": "Germany",
"ip": "11.11.111.111",
"latitude": 51.2993,
"longitude": 9.491,
"location": [
9.431,
51.2293
]
}
},
"sort": [
1621401624392,
1621401624392
]
}
Re: Cisco ASA Dashboard
Posted: Wed May 19, 2021 10:42 am
by cdienger
I labbed it up and the byte fields where being stored as a string. This can be seen when running:
Code: Select all
curl -XGET 'http://localhost:9200/logstash-2021.05.19/'
Do you see the same thing on your end? It would look something like:
Code: Select all
...
"BytesTransmitted" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fielddata" : {
"format" : "disabled"
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed",
"ignore_above" : 256
}
}
}
...
To save it as an int/log, set the logstash configuration to use:
Code: Select all
Bytes xmt: %{NUMBER:BytesTransmitted:int} Bytes rcv: %{NUMBER:BytesReceived:int}
See:
https://www.elastic.co/blog/little-logs ... -type-data
Re: Cisco ASA Dashboard
Posted: Thu May 20, 2021 3:47 am
by shifty
Thank you for the reply. Yes, i see the same result as you. I changed the filter to:
Code: Select all
if [type] == 'asa' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s, Bytes xmt: %{NUMBER:BytesTransmitted:int}, Bytes rcv: %{NUMBER:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
source => "IPAddress"
}
}
and i get this error:
error.PNG
and this error:
error2.PNG
Re: Cisco ASA Dashboard
Posted: Thu May 20, 2021 5:26 pm
by ssax
Try doing a mutate on it and see if that helps.
Code: Select all
if [type] == 'asa' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s, Bytes xmt: %{NUMBER:BytesTransmitted:int}, Bytes rcv: %{NUMBER:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}']
}
mutate {
convert => ["BytesTransmitted","integer"]
}
mutate {
convert => ["BytesReceived","integer"]
}
geoip {
source => "IPAddress"
}
}
Re: Cisco ASA Dashboard
Posted: Thu May 20, 2021 7:05 pm
by gsmith
Hey Shifty,
Not to step on Sean's (ssax) toes but take a look at the dashboard I have attached. (Remember to
rename it from xxxx.txt to xxxx.json)
One thing that was throwing me was the test data you provided...some lines filtered and some lines didn't.
Turns out the ${IP} grok doesn't like 33.33.333.33 or 4.4.4.444..... or anything above 256
I also made some other tweaks. I am getting the bytes received and bytes transmitted correctly.
I think the issue is those two panels aren't configured correctly. I am not sure what they want to
show - is it cumulative? (i doubt that) Is it something like number of bytes received over the last 10
minutes, with a data point every minute?
The filter I used:
Code: Select all
if [type] == 'asa' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:DurationHours}h:%{MINUTE:DurationMinutes}m:%{SECOND:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted.raw}, Bytes rcv: %{INT:BytesReceived.raw}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
source => "IPAddress"
}
}
Thanks