Hey David, I used this ASA content pack on my graylog instance and does a good job, imo. https://marketplace.graylog.org/addons/90396261-812c-4fa8-ad8f-a17771c9f8e0
Just download the content pack, and save it on your machine. Then go to "content packs" section in Graylog and upload. Once uploaded select the content pack and choose "apply content pack". Make sure to send ASA logs to the input that was created, and see if the logs are "formatted" to meet your needs. Jamie P. On Wednesday, November 16, 2016 at 8:15:04 AM UTC-5, David Coleman wrote: > > Robert - were you ever able to get this fixed? > Would you be willing to let me know how far you go and exactly what you > did in graylog - there are two asa extractors in the marketplace - which > one did you use? > Thanks in advance for any info. > > > On Wednesday, May 25, 2016 at 12:27:14 PM UTC-4, Robert Craig wrote: >> >> Will do, thanks. >> >> Robert >> >> On Wednesday, May 25, 2016 at 11:26:21 AM UTC-5, Jochen Schalanda wrote: >>> >>> Hi Robert, >>> >>> maybe the content packs from the Graylog Marketplace don't capture all >>> message variants emitted by these Cisco devices. In this case, please open >>> an issue with the authors of those content packs on GitHub. >>> >>> Cheers, >>> Jochen >>> >>> On Wednesday, 25 May 2016 17:26:10 UTC+2, Robert Craig wrote: >>>> >>>> I guess I'm confused. Both the custom input and the extractor from the >>>> marketplace are configured as Raw/Plaintext UDP under System/Inputs. What >>>> else am I missing? >>>> >>>> >>>> Robert >>>> >>>> On Wednesday, May 25, 2016 at 10:23:03 AM UTC-5, Jochen Schalanda wrote: >>>>> >>>>> Hi Robert, >>>>> >>>>> as I said, Cisco appliances aren't sending proper syslog messages. >>>>> Please use Raw/Plaintext input instead of a Syslog input and use >>>>> extractors >>>>> to transform those messages accordingly. >>>>> >>>>> Cheers, >>>>> Jochen >>>>> >>>>> On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: >>>>>> >>>>>> The only extractor in there for Cisco is Catalyst and ASA, both of >>>>>> which I am running. Any other ideas? >>>>>> >>>>>> Robert >>>>>> >>>>>> On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen Schalanda >>>>>> wrote: >>>>>>> >>>>>>> Hi Robert, >>>>>>> >>>>>>> Cisco appliances don't send valid syslog messages. Please take a >>>>>>> look at the extractors functionality in Graylog: >>>>>>> http://docs.graylog.org/en/2.0/pages/extractors.html >>>>>>> >>>>>>> Cheers, >>>>>>> Jochen >>>>>>> >>>>>>> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>>>>>>> >>>>>>>> I've installed two variations of Cisco extractors on Graylog2 (one >>>>>>>> from marketplace and other from random blog I found). The Source IP >>>>>>>> displays correctly, but it seems not all of the actual syslog message >>>>>>>> is >>>>>>>> displayed. >>>>>>>> >>>>>>>> Example: >>>>>>>> I see this in Graylog >>>>>>>> 22] at 09:36:18 CDT Wed May 25 2016 >>>>>>>> >>>>>>>> But it should be this >>>>>>>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: >>>>>>>> X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>>>>>>> >>>>>>>> Is there anything I can tweak to overcome this issue? Thanks for >>>>>>>> any help. >>>>>>>> >>>>>>>> Robert >>>>>>>> >>>>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/4a9e7ed0-2a06-409b-bad8-65241b59bf04%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
