Cisco ASA VPN Monitoring Dashboard issue

[brian.diedrich]

I installed the dashboard from the Nagios Exchange, along with the filter and the input and when I open it, I get the following parse exception error:
SearchParseException[[logstash-2016.06.02][0]: from[-1],size[-1]: Parse Failure [Failed to parse source [{"facets":{"0":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Port Error\") OR Reason:(\"NAS Error\") OR Reason:(\"NAS Request\") OR Reason:(\"NAS Reboot\") OR Reason:(\"Connection preempted\") OR Reason:(\"Port Suspended\") OR Reason:(\"Service Unavailable\") OR Reason:(\"SA Expired\") OR Reason:(\"Bandwidth Management Error\") OR Reason:(\"Certificate Expired\") OR Reason:(\"Phase 2 Mismatch\") OR Reason:(\"Firewall Mismatch\") OR Reason:(\"ACL Parse Error\") OR Reason:(\"Phase 2 Error\") OR Reason:(\"Internal Error\") OR Reason:(\"Crypto map policy not found\") OR Reason:(\"L2TP initiated\") OR Reason:(\"NAC-Policy Error\") OR Reason:(\"Dynamic Access Policy terminate\") OR Reason:(\"Client type not supported\") OR Reason:(\"Unknown\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1464900816169,"to":1464987216169}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"1":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"User Requested\") OR Reason:(\"Host Requested\") OR Reason:(\"VLAN Mapping Error\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1464900816169,"to":1464987216170}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"2":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Administrator Reset\") OR Reason:(\"Administrator Reboot\") OR Reason:(\"Administrator Shutdown\") OR Reason:(\"User error\") OR Reason:(\"IKE Delete\") OR Reason:(\"Peer Address Changed\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1464900816170,"to":1464987216170}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"3":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Peer Reconnected\") OR Reason:(\"Callback\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1464900816170,"to":1464987216170}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"4":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Lost Carrier\") OR Reason:(\"Lost Service\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1464900816170,"to":1464987216170}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}},"5":{"date_histogram":{"key_field":"@timestamp","value_field":"BytesReceived","interval":"10m"},"global":true,"facet_filter":{"fquery":{"query":{"filtered":{"query":{"query_string":{"query":"Reason:(\"Idle Timeout\") OR Reason:(\"Max time exceeded\") OR Reason:(\"Port unneeded\")"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1464900816170,"to":1464987216170}}},{"fquery":{"query":{"query_string":{"query":"_type:(\"asa\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"LogMessageNumber:(\"113019\")"}},"_cache":true}}]}}}}}}}},"size":0}]]]

[eloyd]

I know the guy that wrote the dashboard. Let me ping him and make sure he sees this topic.

[nozlaf]

So... I wrote this dashboard

can I ask what type of ASA and what firmware?
oh and what version of nagios log server?

[nozlaf]

if you can also post your syslog config from your asa that would be beneficial, if you dont want to post that publicly PM it to me
im not an ASA expert but things to check would be that syslog ID 113019 is set to warning level
and you are sending warning level log data to the NLS server

[hsmith]

@nozlaf, thanks for the follow up.

[brian.diedrich]

Nagios Log Server 1.4.1 (latest)
ASA - 5515 with IPS package and firmware 9.1.1
Logs set to debugging (verbose) and all are being sent to NLS

Here is a sample of the log with pertinent information redacted and replaced with generic info in the same format. It is being collected on NLS, just not on the ASA Dashboard. I did have to change the port from 6514 to 5544 as that is the port the ASA is using to send logs to.
<164>Jun 03 2016 11:18:53: %ASA-4-113019: Group = GroupName, Username = user.name, IP = 127.0.0.1, Session disconnected. Session Type: SSL, Duration: 0h:01m:17s, Bytes xmt: 8202523, Bytes rcv: 85064, Reason: User Requested

via the grok debugger@ http://grokdebug.herokuapp.com/
I can get the following parts of the filter to work with the above log sample

Group = %{IPORHOST:Group}
Username = %{IPORHOST:username}
IP = %{IP:IPAddress}
Session disconnected. Session Type: %{WORD:SessionType}

[hsmith]

Try this one:

Code: Select all

%{SYSLOG5424PRI}%{MONTH:Month} %{MONTHDAY:Day} %{YEAR:Year} %{TIME:Time}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = %{IPORHOST:Group}, Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{INT:DurationHours}?h:%{INT:DuraationMinutes}m:%{INT:DurationSeconds}s, Bytes xmt: %{INT:BytesTransmitted}, Bytes rcv: %{INT:BytesReceived}, Reason: %{GREEDYDATA:Reason}

This is untested, and @nozlaf has the right to call me mean names if there's something wrong

[nozlaf]

<164>Jun 03 2016 11:18:53: %ASA-4-113019: Group = GroupName, Username = user.name, IP = 127.0.0.1, Session disconnected. Session Type: SSL, Duration: 0h:01m:17s, Bytes xmt: 8202523, Bytes rcv: 85064, Reason: User Requested

as suspected this differs to mine, probably due to different asa model / firmware / better configuration on your part

this is what mine looks like

Code: Select all

<164>%ASA-4-113019: Group = vpngroup, Username = somecoolvpnuser, IP = 8.8.8.8, Session disconnected. Session Type: SSL, Duration: 0h:30m:40s, Bytes xmt: 396811, Bytes rcv: 58359, Reason: Idle Timeout

while debugging i've noticed that my existing filter is significantly different to the one that I uploaded all those years ago this below grok filter should work better, honestly dont know why I added the rest of the messages, I think it was to catch more stuff but ill be honest its evening here i've had a couple of beers

Code: Select all

if [type] == 'asa' {
    grok {
        match => ['message', '%{SYSLOG5424PRI}%{MONTH:Month} %{MONTHDAY:Day} %{YEAR:Year} %{TIME:Time}: %%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = %{IPORHOST:Group}, Username = %{IPORHOST:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{CUSTOM1:DurationDays=[0-9]?}%{CUSTOM2=d? ?}%{INT:DurationHours:int}h:%{INT:DurationMinutes:int}m:%{INT:DurationSeconds:int}s, Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}, Reason: %{GREEDYDATA:Reason}']
    }
    geoip {
        source => "IPAddress"
    }

    if "_grokparsefailure" in [tags] {
        # Split the syslog part and Cisco tag out of the message
        grok {
            match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
        }

        # Parse the syslog severity and facility
        syslog_pri { }

        # Parse the date from the "timestamp" field to the "@timestamp" field
        date {
            match => [
                "timestamp",
                "MMM dd HH:mm:ss",
                "MMM  d HH:mm:ss",
                "MMM dd yyyy HH:mm:ss",
                "MMM  d yyyy HH:mm:ss"
            ]
            timezone => "America/New_York"
        }

        # Clean up redundant fields if parsing was successful
        if "_grokparsefailure" not in [tags] {
            mutate {
                rename => ["cisco_message", "message"]
                remove_field => ["timestamp"]
            }
        }

        # Extract fields from the each of the detailed message types
        # The patterns provided below are included in Logstash since 1.2.0
        grok {
          match => [
                "message", "%{CISCOFW106001}",
                "message", "%{CISCOFW106006_106007_106010}",
                "message", "%{CISCOFW106014}",
                "message", "%{CISCOFW106015}",
                "message", "%{CISCOFW106021}",
                "message", "%{CISCOFW106023}",
                "message", "%{CISCOFW106100}",
                "message", "%{CISCOFW110002}",
                "message", "%{CISCOFW302010}",
                "message", "%{CISCOFW302013_302014_302015_302016}",
                "message", "%{CISCOFW302020_302021}",
                "message", "%{CISCOFW305011}",
                "message", "%{CISCOFW313001_313004_313008}",
                "message", "%{CISCOFW313005}",
                "message", "%{CISCOFW402117}",
                "message", "%{CISCOFW402119}",
                "message", "%{CISCOFW419001}",
                "message", "%{CISCOFW419002}",
                "message", "%{CISCOFW500004}",
                "message", "%{CISCOFW602303_602304}",
                "message", "%{CISCOFW710001_710002_710003_710005_710006}",
                "message", "%{CISCOFW713172}",
                "message", "%{CISCOFW733100}"
            ]
        }
 mutate {
         convert => [ 'bytes', 'integer' ]
    
    }
    }
}

[hsmith]

but ill be honest its evening here i've had a couple of beers

Tech Support: Doing it right.

[eloyd]

He makes me proud that he's listed as "Consultant @ Everwatch" on the Nagios World Conference speakers page.