Cisco ASA Config
input {
udp {
port => 5014
type => "cisco-asa"
}
}
filter {
if [type] == "cisco-asa" {
grok {
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}
date {
match => ["timestamp",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss",
"dd MMM yyyy HH:mm:ss",
"dd/MMM/yyyy:HH:mm:ss Z"
]
}
if "_grokparsefailure" not in [tags] {
mutate {
rename => ["cisco_message", "message"]
remove_field => ["timestamp"]
}
}
grok {
match => [
"message", "%{CISCOFW106001}",
"message", "%{CISCOFW106006_106007_106010}",
"message", "%{CISCOFW106014}",
"message", "%{CISCOFW106015}",
"message", "%{CISCOFW106021}",
"message", "%{CISCOFW106023}",
"message", "%{CISCOFW106100}",
"message", "%{CISCOFW110002}",
"message", "%{CISCOFW302010}",
"message", "%{CISCOFW302013_302014_302015_302016}",
"message", "%{CISCOFW302020_302021}",
"message", "%{CISCOFW305011}",
"message", "%{CISCOFW313001_313004_313008}",
"message", "%{CISCOFW313005}",
"message", "%{CISCOFW402117}",
"message", "%{CISCOFW402119}",
"message", "%{CISCOFW419001}",
"message", "%{CISCOFW419002}",
"message", "%{CISCOFW500004}",
"message", "%{CISCOFW602303_602304}",
"message", "%{CISCOFW710001_710002_710003_710005_710006}",
"message", "%{CISCOFW713172}",
"message", "%{CISCOFW733100}"
]
}
syslog_pri { }
geoip {
add_tag => [ "GeoIP" ]
database => "/elastiflow/geoipdb/GeoLite2-City.mmdb"
source => "src_ip"
}
if [geoip][city_name] == "" { mutate { remove_field => "[geoip][city_name]" } }
if [geoip][continent_code] == "" { mutate { remove_field => "[geoip][continent_code]" } }
if [geoip][country_code2] == "" { mutate { remove_field => "[geoip][country_code2]" } }
if [geoip][country_code3] == "" { mutate { remove_field => "[geoip][country_code3]" } }
if [geoip][country_name] == "" { mutate { remove_field => "[geoip][country_name]" } }
if [geoip][latitude] == "" { mutate { remove_field => "[geoip][latitude]" } }
if [geoip][longitude] == "" { mutate { remove_field => "[geoip][longitude]" } }
if [geoip][postal_code] == "" { mutate { remove_field => "[geoip][postal_code]" } }
if [geoip][region_name] == "" { mutate { remove_field => "[geoip][region_name]" } }
if [geoip][time_zone] == "" { mutate { remove_field => "[geoip][time_zone]" } }
geoip {
add_tag => [ "Whois" ]
database => "/elastiflow/geoipdbs/GeoLite2-City.mmdb"
source => "src_ip"
}
}
}
output {
elasticsearch {
hosts => ["ElasticIP:9200"]
index => "cisco-%{+xxxx.ww}"
user => "elastic"
password => "elastic"
}
}
To Read from Log File
Replace
input {
udp {
port => 5014
type => "cisco-asa"
}
}
With
input {
file {
type => "CISCO-ASA"
path => [ "/var/log/CISCO/CiscoLogs.log" ]
}
Elastiflow Setup
Configure JVM Memory
sudo nano /etc/logstash/jvm.options
-Xms4g
-Xmx4g
Logstash Plugin
sudo /usr/share/logstash/bin/logstash-plugin install logstash-codec-sflow
sudo /usr/share/logstash/bin/logstash-plugin update logstash-codec-netflow
sudo /usr/share/logstash/bin/logstash-plugin update logstash-input-udp
sudo /usr/share/logstash/bin/logstash-plugin update logstash-filter-dns
sudo /usr/share/logstash/bin/logstash-plugin update logstash-filter-geoip
sudo /usr/share/logstash/bin/logstash-plugin update logstash-filter-translate
Install & Setup
wget https://github.com/robcowart/elastiflow/archive/master.zip
sudo apt-get install -y unzip
unzip master.zip
sudo cp -a elastiflow-master/logstash/elastiflow/. /etc/logstash/elastiflow/
sudo cp -a elastiflow-master/logstash.service.d/. /etc/systemd/system/logstash.service.d/
Configure Pipeline
sudo nano /etc/logstash/pipelines.yml
Create Index
curl -X POST http://ELASTICHOST:5601/api/saved_objects/index-pattern/elastiflow-* -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @/PATH/TO/DESTINATION/elastiflow.index_pattern.json
Create Dashboard
Download https://github.com/robcowart/elastiflow
Navigate to elastiflow-master\kibana
Navigate to Management, Saved Objects and Import 7.0 Dashboard
Configure Conf File
Change nameserver to
nameserver => "${ELASTIFLOW_NAMESERVER:ELKIP}
30_output_10_single.logstash.conf
user => "${ELASTIFLOW_ES_USER:elastic}"
password => "${ELASTIFLOW_ES_PASSWD:elastic}"
Query TechnoMedia 