Cisco ASA Dashboard

shifty · Post by **shifty** » Fri May 21, 2021 12:36 am

Hi gsmith,

The creator of the dashboard just added this sentence:

"Use this dashboard to see at a glance how VPN sessions are being closed on your ASA devices. It shows the bytes sent and received over the VPN sessions and works with IPSEC and ANYConnect VPN sessions"

I think the diagrams just show how many bytes the client received and sent in its session before it ended.

I imported your filter and dashboard and it looks like this:

asa.PNG

Also i tried to change the "chart values" nothing except "count" woked. So min, mean, max and total not working.

gsmith · Post by **gsmith** » Sun May 23, 2021 9:54 pm

Hi

Try this filter:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

And the attached dashboard.

shifty · Post by **shifty** » Tue May 25, 2021 1:11 am

Hi gsmith,

i tried your filter with you dashboard:

asa6.PNG

This is my current configuration:

Input:

Code: Select all

 tcp {
    port => 6514
    type => 'asa'
  }

Filter:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

gsmith · Post by **gsmith** » Tue May 25, 2021 9:21 am

Hi Shifty,

1. Does the Bytes Transmitted graph look reasonable?
2. On the server please run:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.24/_mapping/field/bytesrcv'

this will tell us what the bytesrcv field's datatype is, should be:
{"logstash-2021.05.24":{"mappings":{"syslog":{"bytesrcv":{"full_name":"bytesrcv","mapping":{"bytesrcv":{"type":"long"}}}}}}

Thanks

shifty · Post by **shifty** » Wed May 26, 2021 2:09 am

Hey gsmith,

Mh the "Bytes Tansmitted" Chart is like the "Events over Time" Chart. I don't know, the original chart uses the "bytes received" field, our chart no longer. The new filter does not seem to find the fields "bytesrcv" and "bytesxmt".

asa10.PNG

asa11.PNG

The output from the command:

Code: Select all

{"logstash-2021.05.24":{"mappings":{}}}

The output of the command also looks as if "bytesrcv" does not exist at all. Everything is pretty complicated

gsmith · Post by **gsmith** » Wed May 26, 2021 9:37 am

Hi,

Yes I changed the field names so I could differentiate from the original ones. I did make a mistake on the bytes transmitted chart,
here is how they both should be set up:

shifty1.jpg

shifty2.jpg

The reason the output of:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.24/_mapping/field/bytesrcv'

was empty is because you need to pick an index that actually has data. So change logstash-2021.05.24
to a day where you had some data, and run:

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.XX/_mapping/field/bytesrcv'
curl -GET 'http://localhost:9200/logstash-2021.05.XX/_mapping/field/bytesxmt'
   change XX to a day with data

Thanks

shifty · Post by **shifty** » Thu May 27, 2021 12:47 am

Hi gsmith,

I have adjusted the graphs as you described

Code: Select all

 curl -GET 'http://localhost:9200/logstash-2021.05.19/_mapping/field/bytesxmt'
{"logstash-2021.05.19":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.21/_mapping/field/bytesrcv'
{"logstash-2021.05.21":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.22/_mapping/field/bytesrcv'
{"logstash-2021.05.22":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.23/_mapping/field/bytesxmt'
{"logstash-2021.05.23":{"mappings":{}}}

Code: Select all

curl -GET 'http://localhost:9200/logstash-2021.05.26/_mapping/field/bytesrcv'
{"logstash-2021.05.26":{"mappings":{}}}

Every query does not return anything. But it should, since VPN users work every day

gsmith · Post by **gsmith** » Thu May 27, 2021 9:14 am

Hey,

So the filter isn't being applied. Go ahead and change it from:

Code: Select all

if [program] == 'cisco' {
grok{
match => ['message', '^<%{POSINT:syslog_pri}>%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = (?<Group>\b[\w\-]+\b), Username = (?<username>\b[\w\-]+\b), IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{HOUR:hour}h:%{MINUTE:min}m:%{SECOND:sec}s, Bytes xmt: %{NUMBER:bytesxmt:int}, Bytes rcv: %{NUMBER:bytesrcv:int}, Reason: %{GREEDYDATA:Reason}']
}
geoip {
  source => "IPAddress"
}
}

to:

Code: Select all

if [type] == 'asa' {
grok{
    blah blah blah
}

Only the first line needs to be changed.

Thanks

shifty · Post by **shifty** » Thu May 27, 2021 12:21 pm

Hey gsmith,

thanks! That did the trick

I think the thread can be closed

Many thanks !

gsmith · Post by **gsmith** » Thu May 27, 2021 2:25 pm

Fantastic!

Glad it's working.

Have a good one.

Nagios Support Forum

Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard