Autoparser fails at Cisco ASA RFC5424 Timestamp

We get errors when sending syslog from a Cisco ASA to graylog.
Here is the Graylog error:

2020-07-16T09:56:51.160+02:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=e83ce671-c739-11ea-9c2d-4a486a851c41, journalOffset=129995001, codec=syslog, payloadSize=134, timestamp=2020-07-16T07:56:51.159Z, remoteAddress=/<IP/Port>}
java.lang.IllegalArgumentException: Invalid format: "2020-07-16T09:56:51+02:00:" is malformed at "+02:00:"

This is with the ASA configured with logging timestamp rfc5424
Example message:
2020-07-16T09:39:32+02:00: %ASA-3-711001: (...)
Looks pretty much rfc complient to me.

With logging set to logging timestamp the Autoparser works
Example message:
Jul 16 2020 10:01:36: %ASA-2-106001: (...)

The locale of the Graylogserver is en_US.UTF-8"

Setting ASA Syslog to logging timestamp is not realy an option, since that timestamp Format would not include offset and is in general not a good timestamp format.

So it kind of looks if the Autoparse has a problem with RFC complient syslog timestamps.

Did anybody run into this issue?
Can I do something about that without opening a Bug with Graylog.

Cisco timestampt is not RFC 5424 complaint. So best way is to create Input type Raw, and don’t rely on autoparse at all.

Check this article:

I will try using a Custom Parser via Raw input.

2020-07-16T15:35:26+02:00: %ASA-3-711001: (…)
The only thing i see not compliant when using the logging timestamp rfc5424 option is the missing TIME-SECFRAC, which is explicitly stated as a SHOULD not must in the rfc.
This is unfortunately also the position the Cisco engineers take in classifiying a request for adding TIME-SECFRAC to the ASA Timestamp as en enchancement-request and not a bug.

I found a solution.
ASA does not add something to the HOSTNAME field to the Syslog HEADER if you don’t configure logging device-id <...> (which is RFC compliant but not realy advised)

When adding it you get a Syslog message that autoparse can parse
You can then use further extractors or pipelines to parse the Cisco tag.
2020-07-17T08:38:01+02:00 hostname : %ASA-3-711001: (...)

Thanks for explanation, it will help another users.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.