Hey folks,
I'm trying to parse some cisco ASA logs using rulebase rules. Here is the
example rule:
rule=: %begin:char-to:"%"%\x25ASA-%ddd:char-to:-%-%eee:number%: Teardown
TCP connection %cnumber:number% for outside:%ohost:ipv4%/%oport:number% to
inside:%ihost:ipv4%/%iport:number% duration %duration:word% bytes
%msgbytes:number% TCP %flags:word% (%uname:word%)
Which i'm hoping matches this (broken) rsyslog line:
06 2015 13:12:55: %ASA-6-302014: Teardown TCP connection 2127154348 for
outside:1.1.1.1/64053 to inside:2.2.2.2/443 duration 0:00:00 bytes 3267 TCP
FINs (myusername)
The template looks like this:
template(name="ciscoasa1"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"fromhost\":\"")
property(name="fromhost-ip")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"begin\":\"")
property(name="$!begin")
constant(value="\",\"cnumber\":\"")
property(name="$!cnumber")
constant(value="\",\"ohost\":\"")
property(name="$!ohost")
constant(value="\",\"oport\":\"")
property(name="$!oport")
constant(value="\",\"ihost\":\"")
property(name="$!ihost")
constant(value="\",\"iport\":\"")
property(name="$!iport")
constant(value="\",\"duration\":\"")
property(name="$!duration")
constant(value="\",\"connbytes\":\"")
property(name="$!msgbytes")
constant(value="\",\"flags\":\"")
property(name="$!flags")
constant(value="\",\"username\":\"")
property(name="$!uname")
constant(value="\"}")
}
When I run rsyslog in debug mode, it shows me the interesting logs are
being filtered accordingly, but when the mmnormalize portion is applied, i
don't seem to be able to extract any custom properties from the
ciscoasa1.rule file, included like this:
if $rawmsg contains "ASA-" and $rawmsg contains "Teardown TCP" and $rawmsg
contains "outside" and $fromhost-ip == "10.10.10.10" then {
action(type="mmnormalize" userawmsg="off"
rulebase="/etc/rsyslog.d/ciscoasa1.rule")
action(type="omelasticsearch"
server="myESserver"
serverport="9200"
template="ciscoasa1"
searchType="asa"
searchIndex="ciscoasaindex"
dynSearchIndex="on"
bulkmode="on"
queue.type="linkedlist"
queue.size="5000000"
queue.dequeuebatchsize="500"
action.resumeretrycount="-1") stop }
The only data I receive in ES is like this:
{
"_index" : "cisco-20150206",
"_type" : "asa",
"_id" : "00c2LZPdQfmdRmskFpDN4A",
"_score" : 1.0,
"_source":{"@timestamp":"2015-02-06T19:26:29+00:00","fromhost":"10.10.10.11","message":"
06 2015 14:26:29: %ASA-6-302014: Teardown TCP connection 2128489328
for outside:1.1.1.1/61976 to inside:2.2.2.2/8084 duration 0:01:00
bytes 3104 TCP Reset-O
(myusername)","begin":"","cnumber":"","ohost":"","oport":"","ihost":"","iport":"","duration":"","connbytes":"","flags":"","username":""}
}
Does anyone have any ideas for why none of my rulebase objects seem to
work? The only data I receive in ES is this, which I believe confirms the
leading space and the broken date at the beginning (which i'm happy to just
strip off). Has anyone seen anything like this before? Throwing rsyslog
into debug mode doesn't give me great debug logging related to the
mmnormalize module (that I can tell).
Cheers,
JB
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
