Skip to content

Instantly share code, notes, and snippets.

@raphaelkong

raphaelkong/gist:01e8cb7b3a3b56b53a6a

Forked from dav3860/gist:5345656
Last active August 29, 2015 14:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save raphaelkong/01e8cb7b3a3b56b53a6a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save raphaelkong/01e8cb7b3a3b56b53a6a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
/etc/logstash/logstash.conf :
# We handle the syslog part of the Cisco PIX/ASA messages
grok {
tags => "cisco-fw"
patterns_dir => "/etc/logstash/patterns"
pattern => "^<%{POSINT:syslog_pri}>(?:(%{TIMESTAMP_ISO8601:timestamp8601} |%{CISCOTIMESTAMP:timestamp} ))?%{SYSLOGHOST:logsource}?[ :]+%{GREEDYDATA:syslog_message}"
}
syslog_pri {
tags => "cisco-fw"
}
mutate {
tags => "cisco-fw"
exclude_tags => "_grokparsefailure"
replace => [ "@source_host", "%{logsource}" ]
replace => [ "@message", "%{syslog_message}" ]
}
# for optional fields (device name in message, Cisco syslog tag)
grok {
tags => "cisco-fw"
patterns_dir => "/etc/logstash/patterns"
pattern => "(?:%{SYSLOGHOST:device} )?(?:: )?%%{CISCOFWTAG:ciscotag}:%{GREEDYDATA}"
}
# we extract fields
grok {
tags => "cisco-fw"
break_on_match => false
patterns_dir => "/etc/logstash/patterns"
pattern => [
"%{CISCOFW1}",
"%{CISCOFW2}",
"%{CISCOFW3}",
"%{CISCOFW4}",
"%{CISCOFW4b}",
"%{CISCOFW5}",
"%{CISCOFW6a}",
"%{CISCOFW6b}",
"%{CISCOFW7}",
"%{CISCOFW8}",
"%{CISCOFW9}",
"%{CISCOFW10}",
"%{CISCOFW11}",
"%{CISCOFW12}",
"%{CISCOFW13}",
"%{CISCOFW14}",
"%{CISCOFW15}",
"%{CISCOFW16}",
"%{CISCOFW17}",
"%{CISCOFW18}"
]
}
date {
tags => "cisco-fw"
timestamp8601 => ISO8601
timestamp => [
"MMM dd HH:mm:ss.SSS",
"MMM d HH:mm:ss.SSS",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd yyyy HH:mm:ss.SSS",
"MMM d yyyy HH:mm:ss.SSS",
"MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss"
]
innertimestamp => [
"MMM dd HH:mm:ss.SSS",
"MMM d HH:mm:ss.SSS",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd yyyy HH:mm:ss.SSS",
"MMM d yyyy HH:mm:ss.SSS",
"MMM dd yyyy HH:mm:ss",
"MMM d yyyy HH:mm:ss",
"yyyy-MM-dd HH:mm:ss.SSS",
"yyyy-MM-dd HH:mm:ss"
]
locale => "Locale.US"
}
/etc/logstash/patterns/cisco-firewalls :
# ASA-1-106100
CISCOFW1 access-list %{DATA:policy_id} %{WORD:action} %{WORD:protocol} %{DATA}/%{IP:src_ip}\(%{DATA:src_port}\) -> %{DATA}/%{IP:dst_ip}\(%{DATA:dst_port}\)
# ASA-3-710003
CISCOFW2 %{WORD:action} %{WORD:protocol} type=%{INT}, code=%{INT} from %{IP:src_ip} on interface
# ASA-3-710003
CISCOFW3 %{WORD:protocol} access %{WORD:action} by ACL from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{DATA:dst_port}
# ASA-4-106023
CISCOFW4 %{WORD:action} %{WORD:protocol} src %{DATA}:%{IP:src_ip}/%{DATA:src_port} dst %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} by access-group %{DATA:policy_id}
CISCOFW4b %{WORD:action} %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} \(type %{INT}, code %{INT}\) by access-group %{DATA:policy_id}
# ASA-6-106015
CISCOFW5 Deny %{WORD:protocol} \(%{GREEDYDATA:action}\) from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} flags
# ASA-6-302013
CISCOFW6a %{WORD:action} inbound %{WORD:protocol} connection %{INT} for %{DATA}:%{IP:src_ip}/%{DATA:src_port} \(%{IP:src_xlated_ip}/%{DATA:src_xlated_port}\) to %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} \(%{IP:dst_xlated_ip}/%{DATA:dst_xlated_port}\)
CISCOFW6b %{WORD:action} outbound %{WORD:protocol} connection %{INT} for %{DATA}:%{IP:dst_ip}/%{DATA:dst_port} \(%{IP:dst_xlated_ip}/%{DATA:dst_xlated_port}\) to %{DATA}:%{IP:src_ip}/%{DATA:src_port} \(%{IP:src_xlated_ip}/%{DATA:src_xlated_port}\)
# ASA-7-710002 | ASA-7-710005
CISCOFW7 %{WORD:protocol} (?:request|access) %{WORD:action} from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{WORD:service}
# ASA-6-302020
CISCOFW8 %{WORD:action} (?:inbound|outbound) %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT} gaddr %{IP:src_xlated_ip}/%{INT} laddr %{IP:src_ip}
# ASA-1-106021
CISCOFW9 %{WORD:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface
# ASA-2-106006-7
CISCOFW10 %{WORD:action} inbound %{WORD:protocol} from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} (?:on interface|due to)
# ASA-4-313004
CISCOFW11 %{WORD:action} %{WORD:protocol} type=%{INT}, from (?:laddr )?%{IP:src_ip} on interface %{DATA} to %{IP:dst_ip}
# ASA-2-106001
CISCOFW12 (?:Inbound|Outbound) %{WORD:protocol} connection %{WORD:action} from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port} flags
# ASA-3-106014
CISCOFW13 %{WORD:action} (?:inbound|outbound) %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip}
# ASA-4-419001
CISCOFW14 %{WORD:action} %{WORD:protocol} packet from %{DATA}:%{IP:src_ip}(?:/%{DATA:src_port})? to %{DATA}:%{IP:dst_ip}(?:/%{DATA:dst_port})?
# ASA-4-313005
CISCOFW15 %ASA-4-313005: %{DATA:action} for %{WORD:protocol} error message: %{WORD} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} (?:\(type %{INT}, code %{INT}\))
# PIX-3-710003
CISCOFW16 %{WORD:protocol} access %{WORD:action} by ACL from %{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:dst_ip}/%{WORD:service}
# ASA-4-500004
CISCOFW17 %{WORD:action} transport field for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{DATA:src_port} to %{IP:dst_ip}/%{DATA:dst_port}
# ASA-6-305011 # dynamic NAT creation
#CISCOFW00 %{WORD:action} dynamic %{WORD:protocol} translation from %{DATA}:%{IP:src_ip}/%{DATA:src_port} to %{DATA}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}
# ASA-5-305013
CISCOFW18 Connection for %{WORD:protocol} src %{DATA}:%{IP:src_ip} dst %{DATA}:%{IP:dst_ip} (?:\(type %{INT}, code %{INT}\) )?%{WORD:action} due to
/etc/logstash/patterns/cisco-std :
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
CISCOFWTAG (?:ASA|PIX|FWSM)-%{INT}-(?:[A-Z0-9_]+)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment