Cisco Syslog Setup

mleon · March 9, 2021, 11:02pm

Good Afternoon,

I’m trying to correct the source fields on our graylog server, primarily from our ASAs’. We have multiple firewalls with multiple contexts and the source data shows up as the month. Now I know this is because the format of messages on the way the data is presented.

I tried extractors, although they worked, it made our CPU usage spike to 100%. Filled up our process buffer and our Journal. After removing the grok or regex extractors things returned to normal.

My next attempt was setting up our server as [Jan Doberstein] Working with Cisco ASA / Nexus on Graylog suggested. Unfortunately this causes issues as well. The Grok Pattern for CiscoTimeStamp wont be accepted. No issues with the Nexus Pattern. The error is below

2021-03-09T17:48:37.768-05:00 ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource
java.lang.IllegalArgumentException: No definition for key ‘CISCOTIMESTAMP’ found, aborting
at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:177) ~[graylog.jar:?]
at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:177) ~[graylog.jar:?]
at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:126) ~[graylog.jar:?]
at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:122) ~[graylog.jar:?]
at org.graylog2.grok.MongoDbGrokPatternService.validate(MongoDbGrokPatternService.java:216) ~[graylog.jar:?]
at org.graylog2.grok.MongoDbGrokPatternService.save(MongoDbGrokPatternService.java:117) ~[graylog.jar:?]
at org.graylog2.rest.resources.system.GrokResource.createPattern(GrokResource.java:174) ~[graylog.jar:?]
at sun.reflect.GeneratedMethodAccessor952.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_282]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_282]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) ~[graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:253) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:232) [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]

Any insight or help in this matter?..please

shoothub · March 10, 2021, 9:40am

Check in your grok definitions in System - Grok Patterns if there is CISCOTIMESTAMP.

mleon · March 10, 2021, 12:32pm

Nothing there…

shoothub · March 10, 2021, 1:56pm

Try to create it like this:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}

mleon · March 10, 2021, 3:03pm

That worked, but doesn’t that mess up the format of Blog post?

It runs through the pipeline, I see rule 1 having throughput but nothing on the corresponding rules.

mleon · March 10, 2021, 3:31pm

Fixed the Input ID, that was the issue there now I run into the below

2021-03-10T10:19:39.167-05:00 ERROR [GrokPatternRegistry] Unable to load grok pattern %{SYSLOG5424PRI}(%{NUMBER:log_sequence#})? %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:s$
java.lang.IllegalArgumentException: No definition for key ‘SYSLOG5424PRI’ found, aborting
at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:177) ~[graylog.jar:?]
at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:126) ~[graylog.jar:?]
at org.graylog2.grok.GrokPatternRegistry$GrokReloader.load(GrokPatternRegistry.java:132) ~[graylog.jar:?]
at org.graylog2.grok.GrokPatternRegistry$GrokReloader.load(GrokPatternRegistry.java:119) ~[graylog.jar:?]
at com.google.common.cache.CacheLoader$1.load(CacheLoader.java:188) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2045) ~[graylog.jar:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3951) ~[graylog.jar:?]
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974) ~[graylog.jar:?]
at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4958) ~[graylog.jar:?]
at org.graylog2.grok.GrokPatternRegistry.cachedGrokForPattern(GrokPatternRegistry.java:97) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:63) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.functions.strings.GrokMatch.evaluate(GrokMatch.java:34) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:385) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:369) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:309) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:267) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:147) [graylog.jar:?]
at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:103) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:136) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:121) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:93) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:47) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]

shoothub · March 11, 2021, 8:53am

Same as before SYSLOG5424PRI is not defined in graylog.
SYSLOG5424PRI <%{NONNEGINT:syslog5424_pri}>

mleon · March 17, 2021, 9:05pm

It moved on the next pattern. It appears Graylog doesn’t have any of these. Can you assist with this one as well? Is there a place I can find these?

2021-03-16T16:01:25.393-04:00 ERROR [GrokPatternRegistry] Unable to load grok pattern %{SYSLOG5424PRI}(%{NUMBER:log_sequence#})? %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:s$
java.lang.IllegalArgumentException: No definition for key ‘CISCO_REASON’ found, aborting

shoothub · March 18, 2021, 8:48am

Check this:
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*

I assume, that all missing groks are from logstash repository:

github.com

logstash-plugins/logstash-patterns-core/blob/main/patterns/legacy/firewalls

# NetScreen firewall logs
NETSCREENSESSIONLOG %{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}

#== Cisco ASA ==
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound
CISCO_INTERVAL first hit|%{INT}-second interval
CISCO_XLATE_TYPE static|dynamic
# ASA-1-104001
CISCOFW104001 \((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}
# ASA-1-104002
CISCOFW104002 \((?:Primary|Secondary)\) Switching to STANDBY - %{GREEDYDATA:switch_reason}
# ASA-1-104003
CISCOFW104003 \((?:Primary|Secondary)\) Switching to FAILED\.
# ASA-1-104004

This file has been truncated. show original

mleon · March 18, 2021, 8:04pm

That worked, thank you much.

acl · March 23, 2021, 6:33pm

I actually uploaded all my groks and pipelines for the ASA. Feel free to give it it a try.

system · April 6, 2021, 6:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cisco ASA GROK - Please check your parameters Graylog Central (peer support)	1	611	June 21, 2021
Need help with extractor grok pattern Graylog Tech Challenges pipeline-rules	6	1383	May 24, 2022
Field disabled (elastic) Graylog Central (peer support)	5	654	August 26, 2018
Cisco 3750 logs showing date as source Graylog Central (peer support)	3	463	May 18, 2023
Unwanted Grok Fields Graylog Central (peer support) grok-patternspl	6	520	November 14, 2023

Cisco Syslog Setup

Related Topics