[graylog2] Re: Graylog2 setup, how to send data now?

[Mark Estridge]

Typically no changes are made for Cisco ASA Firewall changes as long as 
they are sent in Emblem format.
Copy/paste the following into your EXTRACTOR to work with the 
routers/switches.  I've setup mine as follows:
logging origin-id hostname 
logging host "ip add" vrf "skip if unneeded" transport udp port 10514

*****start*****
{
  "extractors": [
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [
        {
          "config": {},
          "type": "syslog_pri_facility"
        }
      ],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^<(\\d.+)>"
      },
      "extractor_type": "regex",
      "order": 0,
      "source_field": "message",
      "target_field": "facility",
      "title": "Facility"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [
        {
          "config": {},
          "type": "syslog_pri_level"
        }
      ],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "^<(\\d.+)>"
      },
      "extractor_type": "regex",
      "order": 1,
      "source_field": "message",
      "target_field": "level",
      "title": "Level"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [
        {
          "config": {},
          "type": "flexdate"
        }
      ],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": ">:\\s.+:\\s(.+?):\\s%"
      },
      "extractor_type": "regex",
      "order": 3,
      "source_field": "message",
      "target_field": "timestamp",
      "title": "Timestamp"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [
        {
          "config": {},
          "type": "lowercase"
        }
      ],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "%(.+?)-"
      },
      "extractor_type": "regex",
      "order": 4,
      "source_field": "message",
      "target_field": "local_facility",
      "title": "Local facility"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [
        {
          "config": {},
          "type": "numeric"
        }
      ],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "%.+-(\\d?)-"
      },
      "extractor_type": "regex",
      "order": 5,
      "source_field": "message",
      "target_field": "local_level",
      "title": "Local level"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "%.+-\\d+-.+: (.*)$"
      },
      "extractor_type": "regex",
      "order": 7,
      "source_field": "message",
      "target_field": "message",
      "title": "Message"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [
        {
          "config": {},
          "type": "lowercase"
        }
      ],
      "cursor_strategy": "copy",
      "extractor_config": {
        "regex_value": "%.+-\\d-(.+?):"
      },
      "extractor_type": "regex",
      "order": 6,
      "source_field": "message",
      "target_field": "mnemonic",
      "title": "Mnemonic"
    },
    {
      "condition_type": "none",
      "condition_value": "",
      "converters": [],
      "cursor_strategy": "copy",
      "extractor_config": {
        "index": 2,
        "split_by": ":"
      },
      "extractor_type": "split_and_index",
      "order": 0,
      "source_field": "full_message",
      "target_field": "source",
      "title": "Source_Cisco_Catalyst"
    }
  ],
  "version": "1.2.1 (c301e97)"
}
***************end**********

On Sunday, September 27, 2015 at 6:57:10 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Anthony,
>
> you can create a Syslog UDP or Syslog TCP input for Graylog in the web 
> interface at System -> Inputs. Also see 
> http://docs.graylog.org/en/1.2/pages/sending_data.html#syslog for a 
> description how to configure different syslog daemons to work smoothly with 
> Graylog.
>
> As for Cisco devices (or generally networking appliances), they sometimes 
> pretend to support syslog but actually don't emit any standardized format. 
> In this case, you'll need to create a Raw/Plaintext UDP/TCP input and 
> extract the required information via some extractors. Also check the 
> Graylog Marketplace for some existing content packs for Cisco devices: 
> https://marketplace.graylog.org/addons?search=cisco
>
>
> Cheers,
> Jochen
>
> On Friday, 25 September 2015 23:22:14 UTC+2, Anthony Srdar wrote:
>>
>> I follow this guide:
>>
>>
>> http://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-graylog2-on-centos-7-rhel-7.html
>>
>> I have graylog up and running, but how do I send my cisco ASA data to it 
>> to start logging? How do I create a syslog listener? 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/faedda45-4c2d-4bcc-ba77-216ba5c430ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.