We get errors when sending syslog from a Cisco ASA to graylog.
Here is the Graylog error:
2020-07-16T09:56:51.160+02:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=e83ce671-c739-11ea-9c2d-4a486a851c41, journalOffset=129995001, codec=syslog, payloadSize=134, timestamp=2020-07-16T07:56:51.159Z, remoteAddress=/<IP/Port>}
java.lang.IllegalArgumentException: Invalid format: "2020-07-16T09:56:51+02:00:" is malformed at "+02:00:"
This is with the ASA configured with logging timestamp rfc5424
Example message: 2020-07-16T09:39:32+02:00: %ASA-3-711001: (...)
Looks pretty much rfc complient to me.
With logging set to logging timestamp the Autoparser works
Example message: Jul 16 2020 10:01:36: %ASA-2-106001: (...)
The locale of the Graylogserver is en_US.UTF-8"
Setting ASA Syslog to logging timestamp is not realy an option, since that timestamp Format would not include offset and is in general not a good timestamp format.
So it kind of looks if the Autoparse has a problem with RFC complient syslog timestamps.
Did anybody run into this issue?
Can I do something about that without opening a Bug with Graylog.
2020-07-16T15:35:26+02:00: %ASA-3-711001: (…)
The only thing i see not compliant when using the logging timestamp rfc5424 option is the missing TIME-SECFRAC, which is explicitly stated as a SHOULD not must in the rfc.
This is unfortunately also the position the Cisco engineers take in classifiying a request for adding TIME-SECFRAC to the ASA Timestamp as en enchancement-request and not a bug.
I found a solution.
ASA does not add something to the HOSTNAME field to the Syslog HEADER if you don’t configure logging device-id <...> (which is RFC compliant but not realy advised)
When adding it you get a Syslog message that autoparse can parse
You can then use further extractors or pipelines to parse the Cisco tag. 2020-07-17T08:38:01+02:00 hostname : %ASA-3-711001: (...)