Send logs from Cisco Firewall to Graylog

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I’m looking for a way how to send only specific ID’s to Graylog server. I mean not all logs classified as warning, error or something, I just want to send a specific ID’s - for example if someone from inside trying to reach out any IP outside and one of my access list deny this request, the log ID is 106100.

2. Describe your environment:

  • OS Information: Cisco ASA, Graylog is installed on Ubuntu 22.04

  • Package Version: Graylog 5.0

  • Service logs, configurations, and environment variables: that is I’m looking for how to configure

3. What steps have you already taken to try and solve the problem?
Still nothing.

4. How can the community help?
Advice.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

As far as I remember ASA, you can decide up to which log-level you want to send logs. You can also change the log-level per ID if I remember correctly. With those both properties you can send logs to Graylog.

If you receive more in Graylog than you want you can delete Logs based on their ID:

  1. build a rule to extract the ID in a certain field, we call it asa_syslog_id
  2. create a rule if the field has a certain value to drop the message
1 Like

Or, if your list of event, ideas is very short, you can build a rule that throws away any message that does not contain your specific IDs. Boolean operators in pipelines are very useful for this.

I think that my list is really short. My goal is to drop the logs on the source - Cisco. It’s not necessary to receive all logs to the Graylog server and drop it there - it will exhaust my SSD soon.

Hey @brkw

The suggestion that @ihe stated might help, for example you can set the Severity Levels for warning/critical etc… that may help to reduce the amount of logs your receiving.

You may be surprised. Dropping messages as soon as they arrive does not require much I/O.

1 Like