I set up a Graylog demo for myself and it has been going pretty well. The main issues that I am encountering are related to Cisco FTDs (which are essentially virtual ASAs). The Syslog UDP input has trouble indexing the various parts of the messages or even just ignores the logs entirely. Is there a way to see if logs are being discarded? The source is often indexed improperly and ends up showing as the month (Aug/Sep) instead of the source IP or hostname.
#Captured by Sylog UDP input but using a packet capture I found that it doesn’t have PRI field so no facility or log level are found leaving them as Unknown and -1.
Sep 02 2021 13:05:44 192.168.22.1 %FTD-6-430002: DeviceUUID: a12a9578-56ab-11eb-8010-87b13c2c7c5d, AccessControlRuleAction: Allow, SrcIP: 192.168.2.213, DstIP: 10.10.10.10, SrcPort: 61243, DstPort: 49680, Protocol: tcp, IngressInterface: outside, EgressInterface: inside, IngressZone: outside-fw1, EgressZone: inside-fw1, ACPolicy: Firewall, AccessControlRuleName: outside-in-1, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity
#Not captured by Syslog UDP input and does have PRI field
<190>Sep 02 14:04:59 192.168.22.1 : %FTD-6-302016: Teardown UDP connection 13584982 for outside:192.168.2.213/61654(LOCAL\user1) to inside:10.10.10.10/53 duration 0:00:00 bytes 0 (user1)
For now, I’m using Raw/Plaintext UDP and seeing all of the messages, but unfortunately nothing is indexed using this input and I’ll have to create all of the indexing myself. Obviously, this is not ideal especially because I can’t seem to find a way to index the portions in the PRI field (log level and facility). It would be nice to use the Syslog UDP input because it already handles this except that it seems to be discarding a large number of messages sent by the FTDs. To address the source issue, I had to create a pipeline to write the gl2_remote_ip as the source and then attempt a reverse dns lookup to convert it to the FQDN if it exists. Then an extractor removes the domain leaving just the hostname.
Integration with LibreNMS. Mostly Cisco devices.
Graylog - 4.1.3+9d79c05
MongoDB - v4.0.26
Elasticsearch - 7.10.2