If you want to have that info in separate fields you can look at adding extractors to the input where the logs are coming in, but that's outside of what I know. Good luck to you. :)
On Monday, November 21, 2016 at 12:17:05 PM UTC-5, David Coleman wrote: > > Thank you for replying. > I'm going to continue pursing how to do that because it would be useful > just to have both source and destination fields. > > On Monday, November 21, 2016 at 11:31:35 AM UTC-5, Jamie P wrote: >> >> Oh after reading what you said further, no I did not. I just kept that >> in the "message field" The only thing that is extracted IP wise is the IP >> of the firewall itself that's sending the log under the "source" field. >> >> On Monday, November 21, 2016 at 11:27:59 AM UTC-5, Jamie P wrote: >>> >>> They should be extracted already into the message field. I did nothing >>> outside of the steps I listed for all of them to show. Here is a Teardown >>> icmp and a TCP messages I get (I changed the actual IPs with random IPs for >>> security reasons). >>> >>> message >>> Teardown ICMP connection for faddr 127.0.0.1/0 gaddr Protege/514 laddr >>> Protege/514 >>> >>> message >>> Teardown dynamic TCP translation from Franklin-LAN-Data:127.0.0.1/58496 >>> to Outside:1.1.1.1/37361 duration 0:00:30 >>> >>> On Monday, November 21, 2016 at 7:20:58 AM UTC-5, David Coleman wrote: >>>> >>>> Thank you. >>>> >>>> This worked great. >>>> >>>> I can see the messages, etc, were you able to figure out how to extract >>>> the source & destination ip addresses from the build connection, teardown >>>> connectin & deny connection entries? >>>> >>>> >>>> >>>> >>>> David Coleman >>>> Rayonier Advanced Materials >>>> 904-357-9104 - Office >>>> >>>> This message, together with any attachments, is intended only for the >>>> use of the individual or entity to which it is addressed and may contain >>>> information that is legally privileged, confidential, and exempt from >>>> disclosure. If you are not the intended recipient, you are hereby >>>> notified >>>> that any dissemination, distribution, or copying of this message, or any >>>> attachment, is strictly prohibited. If you have received this message in >>>> error, please notify the originator immediately by telephone or by return >>>> E-mail and delete this message, along with any attachments, from your >>>> computer. >>>> >>>> >>>> 1301 Riverplace Blvd >>>> Suite 2300 >>>> Jacksonville, FL 32207 >>>> >>>> >>>> >>>> On Fri, Nov 18, 2016 at 3:08 PM, Jamie P <[email protected]> wrote: >>>> >>>>> Hey David, >>>>> >>>>> I used this ASA content pack on my graylog instance and does a good >>>>> job, imo. >>>>> https://marketplace.graylog.org/addons/90396261-812c-4fa8-ad8f-a17771c9f8e0 >>>>> >>>>> Just download the content pack, and save it on your machine. Then go >>>>> to "content packs" section in Graylog and upload. Once uploaded select >>>>> the >>>>> content pack and choose "apply content pack". Make sure to send ASA logs >>>>> to the input that was created, and see if the logs are "formatted" to >>>>> meet >>>>> your needs. >>>>> >>>>> Jamie P. >>>>> >>>>> On Wednesday, November 16, 2016 at 8:15:04 AM UTC-5, David Coleman >>>>> wrote: >>>>>> >>>>>> Robert - were you ever able to get this fixed? >>>>>> Would you be willing to let me know how far you go and exactly what >>>>>> you did in graylog - there are two asa extractors in the marketplace - >>>>>> which one did you use? >>>>>> Thanks in advance for any info. >>>>>> >>>>>> >>>>>> On Wednesday, May 25, 2016 at 12:27:14 PM UTC-4, Robert Craig wrote: >>>>>>> >>>>>>> Will do, thanks. >>>>>>> >>>>>>> Robert >>>>>>> >>>>>>> On Wednesday, May 25, 2016 at 11:26:21 AM UTC-5, Jochen Schalanda >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Robert, >>>>>>>> >>>>>>>> maybe the content packs from the Graylog Marketplace don't capture >>>>>>>> all message variants emitted by these Cisco devices. In this case, >>>>>>>> please >>>>>>>> open an issue with the authors of those content packs on GitHub. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jochen >>>>>>>> >>>>>>>> On Wednesday, 25 May 2016 17:26:10 UTC+2, Robert Craig wrote: >>>>>>>>> >>>>>>>>> I guess I'm confused. Both the custom input and the extractor from >>>>>>>>> the marketplace are configured as Raw/Plaintext UDP under >>>>>>>>> System/Inputs. >>>>>>>>> What else am I missing? >>>>>>>>> >>>>>>>>> >>>>>>>>> Robert >>>>>>>>> >>>>>>>>> On Wednesday, May 25, 2016 at 10:23:03 AM UTC-5, Jochen Schalanda >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hi Robert, >>>>>>>>>> >>>>>>>>>> as I said, Cisco appliances aren't sending proper syslog >>>>>>>>>> messages. Please use Raw/Plaintext input instead of a Syslog input >>>>>>>>>> and use >>>>>>>>>> extractors to transform those messages accordingly. >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Jochen >>>>>>>>>> >>>>>>>>>> On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: >>>>>>>>>>> >>>>>>>>>>> The only extractor in there for Cisco is Catalyst and ASA, both >>>>>>>>>>> of which I am running. Any other ideas? >>>>>>>>>>> >>>>>>>>>>> Robert >>>>>>>>>>> >>>>>>>>>>> On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen >>>>>>>>>>> Schalanda wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Robert, >>>>>>>>>>>> >>>>>>>>>>>> Cisco appliances don't send valid syslog messages. Please take >>>>>>>>>>>> a look at the extractors functionality in Graylog: >>>>>>>>>>>> http://docs.graylog.org/en/2.0/pages/extractors.html >>>>>>>>>>>> >>>>>>>>>>>> Cheers, >>>>>>>>>>>> Jochen >>>>>>>>>>>> >>>>>>>>>>>> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> I've installed two variations of Cisco extractors on Graylog2 >>>>>>>>>>>>> (one from marketplace and other from random blog I found). The >>>>>>>>>>>>> Source IP >>>>>>>>>>>>> displays correctly, but it seems not all of the actual syslog >>>>>>>>>>>>> message is >>>>>>>>>>>>> displayed. >>>>>>>>>>>>> >>>>>>>>>>>>> Example: >>>>>>>>>>>>> I see this in Graylog >>>>>>>>>>>>> 22] at 09:36:18 CDT Wed May 25 2016 >>>>>>>>>>>>> >>>>>>>>>>>>> But it should be this >>>>>>>>>>>>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] >>>>>>>>>>>>> [Source: X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>>>>>>>>>>>> >>>>>>>>>>>>> Is there anything I can tweak to overcome this issue? Thanks >>>>>>>>>>>>> for any help. >>>>>>>>>>>>> >>>>>>>>>>>>> Robert >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "Graylog Users" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/graylog2/lbU44rhnsZM/unsubscribe. >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/graylog2/4a9e7ed0-2a06-409b-bad8-65241b59bf04%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/graylog2/4a9e7ed0-2a06-409b-bad8-65241b59bf04%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5e60baa9-b2a7-4aa8-b3cf-e03752b451d5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
