Last active
April 27, 2020 11:38
-
-
Save dav3860/5345656 to your computer and use it in GitHub Desktop.
Cisco ASA/PIX config for logstash.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /etc/logstash/logstash.conf : | |
| # We handle the syslog part of the Cisco PIX/ASA messages | |
| grok { | |
| tags => "cisco-fw" | |
| patterns_dir => "/etc/logstash/patterns" | |
| pattern => "^<%{POSINT:syslog_pri}>(?:(%{TIMESTAMP_ISO8601:timestamp8601} |%{CISCOTIMESTAMP:timestamp} ))?%{SYSLOGHOST:logsource}?[ :]+%{GREEDYDATA:syslog_message}" | |
| } | |
| syslog_pri { | |
| tags => "cisco-fw" | |
| } | |
| mutate { | |
| tags => "cisco-fw" | |
| exclude_tags => "_grokparsefailure" | |
| replace => [ "@source_host", "%{logsource}" ] | |
| replace => [ "@message", "%{syslog_message}" ] | |
| } | |
| # for optional fields (device name in message, Cisco syslog tag) | |
| grok { | |
| tags => "cisco-fw" | |
| patterns_dir => "/etc/logstash/patterns" | |
| pattern => "(?:%{SYSLOGHOST:device} )?(?:: )?%%{CISCOFWTAG:ciscotag}:%{GREEDYDATA}" | |
| } | |
| # we extract fields | |
| grok { | |
| tags => "cisco-fw" | |
| break_on_match => false | |
| patterns_dir => "/etc/logstash/patterns" | |
| pattern => [ | |
| "%{CISCOFW1}", | |
| "%{CISCOFW2}", | |
| "%{CISCOFW3}", | |
| "%{CISCOFW4}", | |
| "%{CISCOFW4b}", | |
| "%{CISCOFW5}", | |
| "%{CISCOFW6a}", | |
| "%{CISCOFW6b}", | |
| "%{CISCOFW7}", | |
| "%{CISCOFW8}", | |
| "%{CISCOFW9}", | |
| "%{CISCOFW10}", | |
| "%{CISCOFW11}", | |
| "%{CISCOFW12}", | |
| "%{CISCOFW13}", | |
| "%{CISCOFW14}", | |
| "%{CISCOFW15}", | |
| "%{CISCOFW16}", | |
| "%{CISCOFW17}", | |
| "%{CISCOFW18}" | |
| ] | |
| } | |
| date { | |
| tags => "cisco-fw" | |
| timestamp8601 => ISO8601 | |
| timestamp => [ | |
| "MMM dd HH:mm:ss.SSS", | |
| "MMM d HH:mm:ss.SSS", | |
| "MMM dd HH:mm:ss", | |
| "MMM d HH:mm:ss", | |
| "MMM dd yyyy HH:mm:ss.SSS", | |
| "MMM d yyyy HH:mm:ss.SSS", | |
| "MMM dd yyyy HH:mm:ss", | |
| "MMM d yyyy HH:mm:ss" | |
| ] | |
| innertimestamp => [ | |
| "MMM dd HH:mm:ss.SSS", | |
| "MMM d HH:mm:ss.SSS", | |
| "MMM dd HH:mm:ss", | |
| "MMM d HH:mm:ss", | |
| "MMM dd yyyy HH:mm:ss.SSS", | |
| "MMM d yyyy HH:mm:ss.SSS", | |
| "MMM dd yyyy HH:mm:ss", | |
| "MMM d yyyy HH:mm:ss", | |
| "yyyy-MM-dd HH:mm:ss.SSS", | |
| "yyyy-MM-dd HH:mm:ss" | |
| ] | |
| locale => "Locale.US" | |
| } | |
| /etc/logstash/patterns/cisco-firewalls : | |
| # ASA-1-106100 | |
| CISCOFW1 access-list %{DATA:policy_id} %{WORD:action} %{WORD:protocol} %{DATA}/%{IP:src_ip}\(%{DATA:src_port}\) -> %{DATA}/%{IP:dst_ip}\(%{DATA:dst_port}\) | |
| # ASA-3-710003 | |
| CISCOFW2 %{WORD:action} %{WORD:protocol} type=%{INT}, code=%{INT} from %{IP:src_ip} on interface | |
| # ASA-3-710003 | |
| CISCOFW3 %{WORD:protocol} access %{WORD:action} by ACL from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} | |
| # ASA-4-106023 | |
| CISCOFW4 %{WORD:action} %{WORD:protocol} src %{DATA}:%{IP:src_ip}/%{DATA:src_port} dst %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} by access-group %{DATA:policy_id} | |
| CISCOFW4b %{WORD:action} %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} \(type %{INT}, code %{INT}\) by access-group %{DATA:policy_id} | |
| # ASA-6-106015 | |
| CISCOFW5 Deny %{WORD:protocol} \(%{GREEDYDATA:action}\) from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} flags | |
| # ASA-6-302013 | |
| CISCOFW6a %{WORD:action} inbound %{WORD:protocol} connection %{INT} for %{DATA}:%{IP:src_ip}/%{DATA:src_port} \(%{IP:src_xlated_ip}/%{DATA:src_xlated_port}\) to %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} \(%{IP:dst_xlated_ip}/%{DATA:dst_xlated_port}\) | |
| CISCOFW6b %{WORD:action} outbound %{WORD:protocol} connection %{INT} for %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} \(%{IP:dst_xlated_ip}/%{DATA:dst_xlated_port}\) to %{DATA}:%{IP:src_ip}/%{DATA:src_port} \(%{IP:src_xlated_ip}/%{DATA:src_xlated_port}\) | |
| # ASA-7-710002 | ASA-7-710005 | |
| CISCOFW7 %{WORD:protocol} (?:request|access) %{WORD:action} from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{WORD:service} | |
| # ASA-6-302020 | |
| CISCOFW8 %{WORD:action} (?:inbound|outbound) %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT} gaddr %{IP:src_xlated_ip}/%{INT} laddr %{IP:src_ip} | |
| # ASA-1-106021 | |
| CISCOFW9 %{WORD:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface | |
| # ASA-2-106006-7 | |
| CISCOFW10 %{WORD:action} inbound %{WORD:protocol} from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} (?:on interface|due to) | |
| # ASA-4-313004 | |
| CISCOFW11 %{WORD:action} %{WORD:protocol} type=%{INT}, from (?:laddr )?%{IP:src_ip} on interface %{DATA} to %{IP:dst_ip} | |
| # ASA-2-106001 | |
| CISCOFW12 (?:Inbound|Outbound) %{WORD:protocol} connection %{WORD:action} from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} flags | |
| # ASA-3-106014 | |
| CISCOFW13 %{WORD:action} (?:inbound|outbound) %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} | |
| # ASA-4-419001 | |
| CISCOFW14 %{WORD:action} %{WORD:protocol} packet from %{DATA}:%{IP:src_ip}(?:/%{DATA:src_port})? to %{DATA}:%{IP:dst_ip}(?:/%{DATA:dst_port})? | |
| # ASA-4-313005 | |
| CISCOFW15 %ASA-4-313005: %{DATA:action} for %{WORD:protocol} error message: %{WORD} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} (?:\(type %{INT}, code %{INT}\)) | |
| # PIX-3-710003 | |
| CISCOFW16 %{WORD:protocol} access %{WORD:action} by ACL from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{WORD:service} | |
| # ASA-4-500004 | |
| CISCOFW17 %{WORD:action} transport field for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} | |
| # ASA-6-305011 # dynamic NAT creation | |
| #CISCOFW00 %{WORD:action} dynamic %{WORD:protocol} translation from %{DATA}:%{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port} | |
| # ASA-5-305013 | |
| CISCOFW18 Connection for %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} (?:\(type %{INT}, code %{INT}\) )?%{WORD:action} due to | |
| /etc/logstash/patterns/cisco-std : | |
| CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME} | |
| CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+) | |
| CISCOFWTAG (?:ASA|PIX|FWSM)-%{INT}-(?:[A-Z0-9_]+) | |
Thank you for getting me started along this path. I have used these patterns as a starting point, tweaked them, added some more message types, and got it merged into LogStash core: elastic/logstash#610
@GregMefford Hi Greg. I know it's been years since the above post, but I'd love to find out where those message types ended up, as I can't quite seem to follow how they've moved/merged/refactored over the years. I'm using Graylog (which supports grok log patterns) as opposed to log stash, but the fundamentals are the same. Any idea?
IGNORE THIS: I've since found a good set at: https://grokdebug.herokuapp.com/patterns#
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dav3860,
When using this filter in my central.conf for the ASA in Logstash It replaces my logsource with the month instead of the host. I can send you a copy of my central.conf if it would help troubleshoot the issue. Otherwise this works great.!!! Nice Work... Email is cody.betsworth@gmail.com.