Source name in the Cisco Firepower Syslog

Hello,
We have a Cisco ASA running Firepower services. Upon configuring this device to send syslog data to our graylog server, we are noticing that the source name of these syslog messages shows as “Nov” .
Our firewall’s hostname is not “NOV” but “ciscoasa”. How to make Graylog show the correct hostname ?

Please see attached screenshot.
Capture

im using raw plaintext input, for all cisco devices

// Anders

@dio99, does that give you the right hostname ? if i use plain text , it shows source as the “IP-address of the interface”

set the logging device-id in the cisco device that will give u the name in the message, but u can also let graylog to resolve the ip if u have the FW in the dns if u want to have hostname in source…

1 Like

if you enable store full message in the input config, you will see what the device send.
check it first, then the syslog standards, and you will understand why you got it.
a lot of devices don’t use the syslog standards, youst send a string what looks like that.
Graylog use the standards.
You can create extractors or pipelines to get the right name.

2 Likes

You might want to read that:

2 Likes

Thank you all. Appreciate your help. My issue is not resolved, looks like i would have to do some manual work such as creating extractors.

i have done all my cisco ASA in pipelines, moved from extractors since the overhead of matching on a input
since i have many devices to normalize :slight_smile:
and cisco logg format is a pain in the… due all diffrent ways how it looks :frowning:

you will not get one open source and free to use tool that can work with any device that will be without any work from you outputting something you like to have …

so, paying someone money to do the work or do the work yourself is the only option you have.

1 Like

Well, there’s always good ol’ Begging and Pleading™, or telling someone that “It will look good on your resumé or portfolio, just do it for free.:wink:

Hi Jan,
Please see below sample message from our Cisco-ASA. My requirement is to correct the source field to show "Cisco-ASA" instead of “Nov” as what Graylog shows currently.

So, In order to fix / overwrite the source field of my incoming cisco syslog messages, i wrote the below 3 pipeline rules (per your advice on other similar posts ) and tried each of them one by one yet none of them were able to overwrite the source field. The source in the messages still continues to show as Nov (month) Can you please help what is wrong with the below pipleline rules? Do we need to reboot or run sudo graylog-ctl reconfigure after adding pipeline rules for them take effect ?

rule "Correct CiscoASA hostname"
when
  has_field("local_facility") AND contains( "asa")
then
   set_field("source", "Cisco-ASA");
end

OR

    rule "Correct CiscoASA hostname"
    when
     has_field("source") AND contains( "Nov")
    then
      set_field("source", "Cisco-ASA");
    end

OR

rule "Correct CiscoASA hostname"
when
 contains(to_string($message.gl2_remote_ip), "192.168.1.10")
then
  set_field("source", "Cisco-ASA");
end

Sample message:

your main problem is that the cisco device is not sending a proper syslog message.

you should read the linked blog posting about that issue.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.