Error processing message from Cisco ASA

Dear all, I have a Graylog 3.3.8 server.

I setup a Syslog UDP input, so I’m receiving a lot of syslog messages at UDP/514 local port.

I have 2 Cisco ASA firewalls that point to my Graylog server, from one of themn I’m receiving OK but from the second one I don’t receive any syslog message at all and I can see errors like this at /var/log/graylog-server/server.log:

server.log:2021-04-13T10:00:53.444-03:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=c6ab6cf7-9eb3-11eb-8258-0050569ac4a8, journalOffset=18581012768, codec=syslog, payloadSize=151, timestamp=2021-04-16T13:00:53.439Z, remoteAddress=/}

And this type of error at /var/log/graylog-server/restaccess.log:

2021-04-16 09:57:45,049 ERROR: org.graylog2.shared.buffers.processors.DecodingProcessor - Error processing message RawMessage{id=56616490-9eb3-11eb-8258-0050569ac4a8, journalOffset=18580579980, codec=syslog, payloadSize=160, timestamp=2021-04-16T12:57:45.049Z, remoteAddress=/}

Both Cisco ASA firewalls are configured in the same way at syslog level.

Please can you help me ?

Thanks a lot !


Is the remote address / from the Switch not showing messages?
We had a couple Cisco ASA switch with similar problems. I had to create a new Input using Raw/Plaintext UDP with port 1514.

Syslog by default is UDP/514 (Priviliged port), but you would need to run Graylog as root to have the listener bind to anything below 1024. It is recommended to start it at 1514. Maybe give that a try.

hope that helps.

I collect logs from about 20 asa’s so I’ve seen it all. My advice is always to use the plain UDP input and avoid the syslog. This is so you have full control of what data is coming in from the ASA.

Once you have data come in, finally you can get to parsing but not until then. I also recommend against listening on the base port. I use a completely random port port above 10000 to listen for data requests. This way you avoid the privileged port issue mentioned above.

Good luck fellas.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.