I want to catch incoming allowed connection traffic from my ASA and log it to get source IP information. I am not really sure how to start it, either. I am new to GROK and RegEx. I appreciate any help you can provide.
Thanks in advance
Just in case anyone else may be looking for a way to get this information, *Note: You will need informational logging turned on to your Graylog server. Once turned on, you will receive all connections internal to external and vice versa. You will want to add other stages to this pipeline to extract the data you are looking for.
rule “Extract Source IP Addresses for External Allowed Connections with GeoIP Information”
when
has_field(“src_ip”) AND
contains(to_string(lookup_value(“allowed_connections”, to_string($message.src_ip))), “external”)
then
let geo = lookup(“geoip”, to_string($message.src_ip));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end