gt50 · October 24, 2014 02:12
diff --git a/cisco-asa.conf b/cisco-asa.conf
 input {
  syslog {
    port => 5140
 	type => "cisco-asa"
  }
 }

 filter {
  if [type] == "cisco-asa" {
    # Split the syslog part and Cisco tag out of the message
    grok {
      match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
      match => ["message", "^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp} %{SYSLOGHOST:sysloghost} : %%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message}"]
    }

    # Parse the syslog severity and facility
    syslog_pri { }

    # Parse the date from the "timestamp" field to the "@timestamp" field
    date {
      match => ["timestamp",
        "MMM dd HH:mm:ss",
        "MMM  d HH:mm:ss",
        "MMM dd yyyy HH:mm:ss",
        "MMM  d yyyy HH:mm:ss"]
      timezone => "America/Los_Angeles"
    }

    # Clean up redundant fields if parsing was successful
    if "_grokparsefailure" not in [tags] {
      mutate {
        rename => ["cisco_message", "message"]
        remove_field => ["timestamp"]
      }
    }

    # Extract fields from the each of the detailed message types
    # The patterns provided below are included in Logstash since 1.2.0
    grok {
      match => [
        "message", "%{CISCOFW106001}",
        "message", "%{CISCOFW106006_106007_106010}",
        "message", "%{CISCOFW106014}",
        "message", "%{CISCOFW106015}",
        "message", "%{CISCOFW106021}",
        "message", "%{CISCOFW106023}",
        "message", "%{CISCOFW106100}",
        "message", "%{CISCOFW110002}",
        "message", "%{CISCOFW302010}",
        "message", "%{CISCOFW302013_302014_302015_302016}",
        "message", "%{CISCOFW302020_302021}",
        "message", "%{CISCOFW305011}",
        "message", "%{CISCOFW313001_313004_313008}",
        "message", "%{CISCOFW313005}",
        "message", "%{CISCOFW402117}",
        "message", "%{CISCOFW402119}",
        "message", "%{CISCOFW419001}",
        "message", "%{CISCOFW419002}",
        "message", "%{CISCOFW500004}",
        "message", "%{CISCOFW602303_602304}",
        "message", "%{CISCOFW710001_710002_710003_710005_710006}",
        "message", "%{CISCOFW713172}",
        "message", "%{CISCOFW733100}",
 	"message", "src %{DATA:src_interface}:%{IP:src_ip} dst %{DATA:dst_interface}:%{IP:dst_ip}"
      ]
    }
  }
 }

 output {
 if [type] == "cisco-asa" {
    # Archive Cisco ASA firewall logs on disk based on the event's timestamp
    # Results in directories for each year and month, with conveniently-named log files, like:
    # /path/to/archive/cisco-asa/2014/2014-09/cisco-asa-2014-09-24.log
    file {
      path => "/tmp/%{type}/%{+YYYY}/%{+YYYY-MM}/%{type}-%{+YYYY-MM-dd}.log"
    }

    # Also output to ElasticSearch for review in Kibana
    elasticsearch { host => localhost }
  }
 }
	input {
	syslog {
	port => 5140
	type => "cisco-asa"
	}
	}

	filter {
	if [type] == "cisco-asa" {
	# Split the syslog part and Cisco tag out of the message
	grok {
	match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
	match => ["message", "^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp} %{SYSLOGHOST:sysloghost} : %%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message}"]
	}

	# Parse the syslog severity and facility
	syslog_pri { }

	# Parse the date from the "timestamp" field to the "@timestamp" field
	date {
	match => ["timestamp",
	"MMM dd HH:mm:ss",
	"MMM d HH:mm:ss",
	"MMM dd yyyy HH:mm:ss",
	"MMM d yyyy HH:mm:ss"]
	timezone => "America/Los_Angeles"
	}

	# Clean up redundant fields if parsing was successful
	if "_grokparsefailure" not in [tags] {
	mutate {
	rename => ["cisco_message", "message"]
	remove_field => ["timestamp"]
	}
	}

	# Extract fields from the each of the detailed message types
	# The patterns provided below are included in Logstash since 1.2.0
	grok {
	match => [
	"message", "%{CISCOFW106001}",
	"message", "%{CISCOFW106006_106007_106010}",
	"message", "%{CISCOFW106014}",
	"message", "%{CISCOFW106015}",
	"message", "%{CISCOFW106021}",
	"message", "%{CISCOFW106023}",
	"message", "%{CISCOFW106100}",
	"message", "%{CISCOFW110002}",
	"message", "%{CISCOFW302010}",
	"message", "%{CISCOFW302013_302014_302015_302016}",
	"message", "%{CISCOFW302020_302021}",
	"message", "%{CISCOFW305011}",
	"message", "%{CISCOFW313001_313004_313008}",
	"message", "%{CISCOFW313005}",
	"message", "%{CISCOFW402117}",
	"message", "%{CISCOFW402119}",
	"message", "%{CISCOFW419001}",
	"message", "%{CISCOFW419002}",
	"message", "%{CISCOFW500004}",
	"message", "%{CISCOFW602303_602304}",
	"message", "%{CISCOFW710001_710002_710003_710005_710006}",
	"message", "%{CISCOFW713172}",
	"message", "%{CISCOFW733100}",
	"message", "src %{DATA:src_interface}:%{IP:src_ip} dst %{DATA:dst_interface}:%{IP:dst_ip}"
	]
	}
	}
	}

	output {
	if [type] == "cisco-asa" {
	# Archive Cisco ASA firewall logs on disk based on the event's timestamp
	# Results in directories for each year and month, with conveniently-named log files, like:
	# /path/to/archive/cisco-asa/2014/2014-09/cisco-asa-2014-09-24.log
	file {
	path => "/tmp/%{type}/%{+YYYY}/%{+YYYY-MM}/%{type}-%{+YYYY-MM-dd}.log"
	}

	# Also output to ElasticSearch for review in Kibana
	elasticsearch { host => localhost }
	}
	}