Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitespace in Cisco ASA output breaks firewall pattern #2101

Closed
roderickm opened this issue Nov 19, 2014 · 2 comments
Closed

Whitespace in Cisco ASA output breaks firewall pattern #2101

roderickm opened this issue Nov 19, 2014 · 2 comments

Comments

@roderickm
Copy link

If a Cisco ASA has a logging device-id set (for instance with logging device-id string asa.sfo), the syslog message emitted does not match the grok pattern CISCO_TAGGED_SYSLOG. An additional space should be allowed by the pattern between the device_id and the colon.

Here are example messages to demonstrate:

without device-id:
<164>Nov 19 2014 17:27:56: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. ...

with device-id:
<164>Nov 19 2014 17:30:36 asa.sfo : %ASA-4-733100: [ Scanning] drop rate-1 exceeded. ...

The example with device-id is not matched by CISCO_TAGGED_SYSLOG because of the space in
asa.sfo :
roderickm pushed a commit to roderickm/logstash that referenced this issue Nov 19, 2014
Allow opt. space between device-id and colon. fix elastic#2101
66edbb9
@roderickm roderickm mentioned this issue Nov 19, 2014
Closed
roderickm pushed a commit to roderickm/logstash-patterns-core that referenced this issue Dec 3, 2014
Allow optional space between sysloghost and colon.
1f9f7f2 
Closes elastic/logstash#2101. If a Cisco ASA has a logging
device-id set, the syslog message emitted contains an additional space
after the device-id and therefore does not match the grok pattern
CISCO_TAGGED_SYSLOG. An optional space should be allowed by the pattern
between the device-id (which is captured as sysloghost) and the colon
character.
@roderickm roderickm mentioned this issue Dec 3, 2014
Closed
@seang-es
Copy link

We've seen this issue at a customer site as well. Can we update the default filter to handle this?

@seang-es seang-es mentioned this issue May 13, 2015
Open
@jordansissel
Copy link
Contributor

For Logstash 1.5.0, we've moved all plugins to individual repositories, so I have moved this issue to logstash-plugins/logstash-patterns-core#39. Let's continue the discussion there! :)

@jordansissel jordansissel mentioned this issue May 18, 2015
Open
purbon pushed a commit to logstash-plugins/logstash-patterns-core that referenced this issue Sep 9, 2015
Allow optional space between sysloghost and colon.
0f077c1 
Closes elastic/logstash#2101. If a Cisco ASA has a logging
device-id set, the syslog message emitted contains an additional space
after the device-id and therefore does not match the grok pattern
CISCO_TAGGED_SYSLOG. An optional space should be allowed by the pattern
between the device-id (which is captured as sysloghost) and the colon
character.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@jordansissel @roderickm @seang-es