Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Cisco ASA Dashboard

https://support.nagios.com/forum/viewtopic.php?t=62517

Page 3 of 3

Re: Cisco ASA Dashboard

Posted: Fri May 21, 2021 12:36 am
by shifty
Hi gsmith,

The creator of the dashboard just added this sentence:

"Use this dashboard to see at a glance how VPN sessions are being closed on your ASA devices. It shows the bytes sent and received over the VPN sessions and works with IPSEC and ANYConnect VPN sessions"

I think the diagrams just show how many bytes the client received and sent in its session before it ended. :)
I imported your filter and dashboard and it looks like this:
asa.PNG
Also i tried to change the "chart values" nothing except "count" woked. So min, mean, max and total not working.

Re: Cisco ASA Dashboard

Posted: Sun May 23, 2021 9:54 pm
by gsmith
Hi

Try this filter:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}
And the attached dashboard.

Re: Cisco ASA Dashboard

Posted: Tue May 25, 2021 1:11 am
by shifty
Hi gsmith,

i tried your filter with you dashboard:
asa6.PNG

This is my current configuration:

Input:

Code: Select all

 tcp {
    port => 6514
    type => 'asa'
  }
Filter:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

Re: Cisco ASA Dashboard

Posted: Tue May 25, 2021 9:21 am
by gsmith
Hi Shifty,

1. Does the Bytes Transmitted graph look reasonable?
2. On the server please run:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.24/_mapping/field/bytesrcv'
this will tell us what the bytesrcv field's datatype is, should be:
{"logstash-2021.05.24":{"mappings":{"syslog":{"bytesrcv":{"full_name":"bytesrcv","mapping":{"bytesrcv":{"type":"long"}}}}}}

Thanks

Re: Cisco ASA Dashboard

Posted: Wed May 26, 2021 2:09 am
by shifty
Hey gsmith,

Mh the "Bytes Tansmitted" Chart is like the "Events over Time" Chart. I don't know, the original chart uses the "bytes received" field, our chart no longer. The new filter does not seem to find the fields "bytesrcv" and "bytesxmt".
asa10.PNG
asa11.PNG
The output from the command:

Code: Select all

{"logstash-2021.05.24":{"mappings":{}}}
The output of the command also looks as if "bytesrcv" does not exist at all. Everything is pretty complicated :D

Re: Cisco ASA Dashboard

Posted: Wed May 26, 2021 9:37 am
by gsmith
Hi,

Yes I changed the field names so I could differentiate from the original ones. I did make a mistake on the bytes transmitted chart,
here is how they both should be set up:
shifty1.jpg
shifty2.jpg
The reason the output of:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.24/_mapping/field/bytesrcv'
was empty is because you need to pick an index that actually has data. So change logstash-2021.05.24
to a day where you had some data, and run:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.XX/_mapping/field/bytesrcv'
curl -GET 'http://localhost:9200/logstash-2021.05.XX/_mapping/field/bytesxmt'
   change XX to a day with data
Thanks

Re: Cisco ASA Dashboard

Posted: Thu May 27, 2021 12:47 am
by shifty
Hi gsmith,

I have adjusted the graphs as you described

Code: Select all

 curl -GET 'http://localhost:9200/logstash-2021.05.19/_mapping/field/bytesxmt'
{"logstash-2021.05.19":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.21/_mapping/field/bytesrcv'
{"logstash-2021.05.21":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.22/_mapping/field/bytesrcv'
{"logstash-2021.05.22":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.23/_mapping/field/bytesxmt'
{"logstash-2021.05.23":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.26/_mapping/field/bytesrcv'
{"logstash-2021.05.26":{"mappings":{}}}

Every query does not return anything. But it should, since VPN users work every day :)

Re: Cisco ASA Dashboard

Posted: Thu May 27, 2021 9:14 am
by gsmith
Hey,

So the filter isn't being applied. Go ahead and change it from:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}
to:

Code: Select all

if [type] == 'asa' {
grok{
    blah blah blah
}
Only the first line needs to be changed.

Thanks

Re: Cisco ASA Dashboard

Posted: Thu May 27, 2021 12:21 pm
by shifty
Hey gsmith,

thanks! That did the trick :D I think the thread can be closed :)

Many thanks !

Re: Cisco ASA Dashboard

Posted: Thu May 27, 2021 2:25 pm
by gsmith
Fantastic!

Glad it's working.

Have a good one.
All times are UTC-05:00
Page 3 of 3

Powered by phpBB® Forum Software © phpBB Limited