-
-
Save 0ccupi3R/c42e47a1b456b058f9fd679d9e72e260 to your computer and use it in GitHub Desktop.
Cisco ASA/PIX config for logstash.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/etc/logstash/logstash.conf : | |
# We handle the syslog part of the Cisco PIX/ASA messages | |
grok { | |
tags => "cisco-fw" | |
patterns_dir => "/etc/logstash/patterns" | |
pattern => "^<%{POSINT:syslog_pri}>(?:(%{TIMESTAMP_ISO8601:timestamp8601} |%{CISCOTIMESTAMP:timestamp} ))?%{SYSLOGHOST:logsource}?[ :]+%{GREEDYDATA:syslog_message}" | |
} | |
syslog_pri { | |
tags => "cisco-fw" | |
} | |
mutate { | |
tags => "cisco-fw" | |
exclude_tags => "_grokparsefailure" | |
replace => [ "@source_host", "%{logsource}" ] | |
replace => [ "@message", "%{syslog_message}" ] | |
} | |
# for optional fields (device name in message, Cisco syslog tag) | |
grok { | |
tags => "cisco-fw" | |
patterns_dir => "/etc/logstash/patterns" | |
pattern => "(?:%{SYSLOGHOST:device} )?(?:: )?%%{CISCOFWTAG:ciscotag}:%{GREEDYDATA}" | |
} | |
# we extract fields | |
grok { | |
tags => "cisco-fw" | |
break_on_match => false | |
patterns_dir => "/etc/logstash/patterns" | |
pattern => [ | |
"%{CISCOFW1}", | |
"%{CISCOFW2}", | |
"%{CISCOFW3}", | |
"%{CISCOFW4}", | |
"%{CISCOFW4b}", | |
"%{CISCOFW5}", | |
"%{CISCOFW6a}", | |
"%{CISCOFW6b}", | |
"%{CISCOFW7}", | |
"%{CISCOFW8}", | |
"%{CISCOFW9}", | |
"%{CISCOFW10}", | |
"%{CISCOFW11}", | |
"%{CISCOFW12}", | |
"%{CISCOFW13}", | |
"%{CISCOFW14}", | |
"%{CISCOFW15}", | |
"%{CISCOFW16}", | |
"%{CISCOFW17}", | |
"%{CISCOFW18}" | |
] | |
} | |
date { | |
tags => "cisco-fw" | |
timestamp8601 => ISO8601 | |
timestamp => [ | |
"MMM dd HH:mm:ss.SSS", | |
"MMM d HH:mm:ss.SSS", | |
"MMM dd HH:mm:ss", | |
"MMM d HH:mm:ss", | |
"MMM dd yyyy HH:mm:ss.SSS", | |
"MMM d yyyy HH:mm:ss.SSS", | |
"MMM dd yyyy HH:mm:ss", | |
"MMM d yyyy HH:mm:ss" | |
] | |
innertimestamp => [ | |
"MMM dd HH:mm:ss.SSS", | |
"MMM d HH:mm:ss.SSS", | |
"MMM dd HH:mm:ss", | |
"MMM d HH:mm:ss", | |
"MMM dd yyyy HH:mm:ss.SSS", | |
"MMM d yyyy HH:mm:ss.SSS", | |
"MMM dd yyyy HH:mm:ss", | |
"MMM d yyyy HH:mm:ss", | |
"yyyy-MM-dd HH:mm:ss.SSS", | |
"yyyy-MM-dd HH:mm:ss" | |
] | |
locale => "Locale.US" | |
} | |
/etc/logstash/patterns/cisco-firewalls : | |
# ASA-1-106100 | |
CISCOFW1 access-list %{DATA:policy_id} %{WORD:action} %{WORD:protocol} %{DATA}/%{IP:src_ip}\(%{DATA:src_port}\) -> %{DATA}/%{IP:dst_ip}\(%{DATA:dst_port}\) | |
# ASA-3-710003 | |
CISCOFW2 %{WORD:action} %{WORD:protocol} type=%{INT}, code=%{INT} from %{IP:src_ip} on interface | |
# ASA-3-710003 | |
CISCOFW3 %{WORD:protocol} access %{WORD:action} by ACL from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} | |
# ASA-4-106023 | |
CISCOFW4 %{WORD:action} %{WORD:protocol} src %{DATA}:%{IP:src_ip}/%{DATA:src_port} dst %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} by access-group %{DATA:policy_id} | |
CISCOFW4b %{WORD:action} %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} \(type %{INT}, code %{INT}\) by access-group %{DATA:policy_id} | |
# ASA-6-106015 | |
CISCOFW5 Deny %{WORD:protocol} \(%{GREEDYDATA:action}\) from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} flags | |
# ASA-6-302013 | |
CISCOFW6a %{WORD:action} inbound %{WORD:protocol} connection %{INT} for %{DATA}:%{IP:src_ip}/%{DATA:src_port} \(%{IP:src_xlated_ip}/%{DATA:src_xlated_port}\) to %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} \(%{IP:dst_xlated_ip}/%{DATA:dst_xlated_port}\) | |
CISCOFW6b %{WORD:action} outbound %{WORD:protocol} connection %{INT} for %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} \(%{IP:dst_xlated_ip}/%{DATA:dst_xlated_port}\) to %{DATA}:%{IP:src_ip}/%{DATA:src_port} \(%{IP:src_xlated_ip}/%{DATA:src_xlated_port}\) | |
# ASA-7-710002 | ASA-7-710005 | |
CISCOFW7 %{WORD:protocol} (?:request|access) %{WORD:action} from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{WORD:service} | |
# ASA-6-302020 | |
CISCOFW8 %{WORD:action} (?:inbound|outbound) %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT} gaddr %{IP:src_xlated_ip}/%{INT} laddr %{IP:src_ip} | |
# ASA-1-106021 | |
CISCOFW9 %{WORD:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface | |
# ASA-2-106006-7 | |
CISCOFW10 %{WORD:action} inbound %{WORD:protocol} from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} (?:on interface|due to) | |
# ASA-4-313004 | |
CISCOFW11 %{WORD:action} %{WORD:protocol} type=%{INT}, from (?:laddr )?%{IP:src_ip} on interface %{DATA} to %{IP:dst_ip} | |
# ASA-2-106001 | |
CISCOFW12 (?:Inbound|Outbound) %{WORD:protocol} connection %{WORD:action} from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} flags | |
# ASA-3-106014 | |
CISCOFW13 %{WORD:action} (?:inbound|outbound) %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} | |
# ASA-4-419001 | |
CISCOFW14 %{WORD:action} %{WORD:protocol} packet from %{DATA}:%{IP:src_ip}(?:/%{DATA:src_port})? to %{DATA}:%{IP:dst_ip}(?:/%{DATA:dst_port})? | |
# ASA-4-313005 | |
CISCOFW15 %ASA-4-313005: %{DATA:action} for %{WORD:protocol} error message: %{WORD} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} (?:\(type %{INT}, code %{INT}\)) | |
# PIX-3-710003 | |
CISCOFW16 %{WORD:protocol} access %{WORD:action} by ACL from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{WORD:service} | |
# ASA-4-500004 | |
CISCOFW17 %{WORD:action} transport field for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} | |
# ASA-6-305011 # dynamic NAT creation | |
#CISCOFW00 %{WORD:action} dynamic %{WORD:protocol} translation from %{DATA}:%{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port} | |
# ASA-5-305013 | |
CISCOFW18 Connection for %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} (?:\(type %{INT}, code %{INT}\) )?%{WORD:action} due to | |
/etc/logstash/patterns/cisco-std : | |
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME} | |
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+) | |
CISCOFWTAG (?:ASA|PIX|FWSM)-%{INT}-(?:[A-Z0-9_]+) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment