Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Cisco ASA Dashboard

https://support.nagios.com/forum/viewtopic.php?t=62517

Page 1 of 3

Cisco ASA Dashboard

Posted: Fri May 07, 2021 10:13 am
by shifty
Hello again :)

i came across the cisco asa dashboard and would love to use it!

https://exchange.nagios.org/directory/A ... ng/details

Unfortunately, it doesn't work properly for me, as you can see on the screenshot.
1.PNG
2.PNG

My input and filter are the same as in the description:

https://exchange.nagios.org/components/ ... 7&cf_id=24
3.PNG
The logs come in via port 6514
4.PNG
maybe someone has an idea how to get the dashboard working or whether i did something wrong :)

Thank you
shifty

Re: Cisco ASA Dashboard

Posted: Fri May 07, 2021 4:42 pm
by gsmith
Hi Shifty,

I took a look at the plugin page. It looks like you followed the Filter and Input instructions,
but did you also load the dashboard json file?
Image29.jpg
Please let me know.

Thanks

Re: Cisco ASA Dashboard

Posted: Sat May 08, 2021 12:52 am
by shifty
Hi gsmith,

thank you for your reply. yes i have loaded the dashboard as you can see on picture 1 and 2. as you can see on picture 4, there are probably 3 grokparsefailures. I was already able to fix one, namely the _grokparsefailure_sysloginput

I've adjusted my input as follows:

from

Code: Select all

syslog {
    type => 'asa'
    port => 6514
}
to

Code: Select all

tcp {
    type => 'asa'
    port => 6514
}
now I have the other two mistakes:

_grokparsefailure and _grokparsefailure_geoip

The cisco asa dashboard filters for the number 113019. When I search for the number and display the raw data, it looks like this:

Code: Select all

{
  "_index": "logstash-2021.05.09",
  "_type": "asa",
  "_id": "AXlP-9Xm7rqESgLwSkw7",
  "_score": null,
  "_source": {
    "message": "<172>%ASA-4-113019: Group = VPN-Clients, Username = username, IP = 79.201.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:13m:32s, Bytes xmt: 22555580, Bytes rcv: 5138697, Reason: User Requested",
    "@version": "1",
    "@timestamp": "2021-05-09T07:16:14.793Z",
    "host": "192.xxx.xxx.x",
    "port": 35527,
    "type": "asa",
    "tags": [
      "_grokparsefailure",
      "_geoip_lookup_failure"
    ],
    "geoip": [],
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  },
  "highlight": {
    "message": [
      "<172>%ASA-4-@start-highlight@113019@end-highlight@: Group = VPN-Clients, Username = username, IP = 79.201.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:13m:32s, Bytes xmt: 22555580, Bytes rcv: 5138697, Reason: User Requested"
    ]
  },
  "sort": [
    1620544574793,
    1620544574793
  ]
}

thanks for any help

shifty

Re: Cisco ASA Dashboard

Posted: Sun May 09, 2021 11:53 am
by shifty
I played around with the grog debugger and tested it. Here is my result:

Code: Select all

<172>%ASA-4-113019: Group = VPN-Clients, Username = testuser, IP = 11.11.11.11, Session disconnected. Session Type: SSL, Duration: 0h:18m:40s, Bytes xmt: 1484872, Bytes rcv: 373922, Reason: User Requested

Code: Select all

%{SYSLOG5424PRI}%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = %{WORD:Group}.*Username = %{WORD:username}.*IP = %{IP:IPAddress}.*Session disconnected.*Session Type: %{WORD:SessionType}.*Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s.*Bytes xmt: %{NUMBER:BytesTransmitted}.*Bytes rcv: %{NUMBER:BytesReceived}.*Reason: %{GREEDYDATA:Reason}
Result:

Code: Select all

{
  "SYSLOG5424PRI": [
    [
      "<172>"
    ]
  ],
  "syslog5424_pri": [
    [
      "172"
    ]
  ],
  "LogType": [
    [
      "ASA"
    ]
  ],
  "LogSeverity": [
    [
      "4"
    ]
  ],
  "LogMessageNumber": [
    [
      "113019"
    ]
  ],
  "Group": [
    [
      "VPN"
    ]
  ],
  "username": [
    [
      "testuser"
    ]
  ],
  "IPAddress": [
    [
      "11.11.11.11"
    ]
  ],
  "IPV6": [
    [
      null
    ]
  ],
  "IPV4": [
    [
      "11.11.11.11"
    ]
  ],
  "SessionType": [
    [
      "SSL"
    ]
  ],
  "DurationHours": [
    [
      "0"
    ]
  ],
  "BASE10NUM": [
    [
      "0",
      "1484872",
      "373922"
    ]
  ],
  "DurationMinutes": [
    [
      "18"
    ]
  ],
  "DurationSeconds": [
    [
      "40"
    ]
  ],
  "BytesTransmitted": [
    [
      "1484872"
    ]
  ],
  "BytesReceived": [
    [
      "373922"
    ]
  ],
  "Reason": [
    [
      "User Requested"
    ]
  ]
}
I tried to build a filter out of it, unfortunately without success:

Code: Select all

if [type] == 'asa' {
grok{
match => ['message', '%{SYSLOG5424PRI}%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = %{WORD:Group}, Username = %{WORD:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s, Bytes xmt: %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}, Reason: %{GREEDYDATA:Reason}']
}
}
I have the feeling that there is a problem with the %{SYSLOG5424PRI}% and the <172> but I don't know. In addition, under Group =% {WORD: Group} only "VPN" is displayed instead of "VPN-clients"

thanks
Shifty

Re: Cisco ASA Dashboard

Posted: Mon May 10, 2021 12:11 pm
by gsmith
hi

Use this to fix your Group:

(?<Group>\b[\w\-]+\b)

? means use regex <field name> \b is word boundary [\w\-] is all letters and add the char "-" \b is word boundary

Thanks

Re: Cisco ASA Dashboard

Posted: Wed May 12, 2021 12:51 am
by shifty
Hi gsmith,

thank you! That did the trick.
The last problem I have is that the bytes transmitted and bytes received graph do not show anything and give an error.
5.PNG

Code: Select all

ClassCastException[org.elasticsearch.index.fielddata.plain.DisabledIndexFieldData cannot be cast to org.elasticsearch.index.fielddata.IndexNumericFieldData]
Do you have a solution for this ?

many thanks
shifty

Re: Cisco ASA Dashboard

Posted: Wed May 12, 2021 9:29 am
by gsmith
Hi,

Try changing %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}

to:
%{INT:BytesTransmitted}, Bytes rcv: %{INT:BytesReceived}

Let me know what happens

Thanks

Re: Cisco ASA Dashboard

Posted: Wed May 12, 2021 2:02 pm
by shifty
I now get the error

Code: Select all

ClassCastException

Re: Cisco ASA Dashboard

Posted: Thu May 13, 2021 11:31 am
by gsmith
Hi,

It's something to do with the %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}

Since NUMBER and INT didn't work lets try WORD :P

*Bytes xmt: %{WORD:BytesTransmitted}.*Bytes rcv: %{WORD:BytesReceived}.*Reason: %{GREEDYDATA:Reason}

Let me know please....

Re: Cisco ASA Dashboard

Posted: Fri May 14, 2021 2:00 am
by shifty
Hi gsmith,

i tried

*Bytes xmt: %{WORD:BytesTransmitted}.*Bytes rcv: %{WORD:BytesReceived}

but it did not work. I rummaged through the forum again and found this thread

https://support.nagios.com/forum/viewto ... 38&t=58051

but that didn't work either

Tried so far:

Bytes xmt: %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}

Bytes xmt: %{NUMBER:BytesTransmitted:int}, Bytes rcv: %{NUMBER:BytesReceived:int}

Bytes xmt: %{INT:BytesTransmitted}, Bytes rcv: %{INT:BytesReceived}

Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}

But nothing worked :(
All times are UTC-05:00
Page 1 of 3

Powered by phpBB® Forum Software © phpBB Limited