Cisco ASA Dashboard

shifty · Post by **shifty** » Fri May 07, 2021 10:13 am

Hello again

i came across the cisco asa dashboard and would love to use it!

https://exchange.nagios.org/directory/A ... ng/details

Unfortunately, it doesn't work properly for me, as you can see on the screenshot.

1.PNG

2.PNG

My input and filter are the same as in the description:

https://exchange.nagios.org/components/ ... 7&cf_id=24

3.PNG

The logs come in via port 6514

4.PNG

maybe someone has an idea how to get the dashboard working or whether i did something wrong

Thank you
shifty

gsmith · Post by **gsmith** » Fri May 07, 2021 4:42 pm

Hi Shifty,

I took a look at the plugin page. It looks like you followed the Filter and Input instructions,
but did you also load the dashboard json file?

Image29.jpg

Please let me know.

Thanks

shifty · Post by **shifty** » Sat May 08, 2021 12:52 am

Hi gsmith,

thank you for your reply. yes i have loaded the dashboard as you can see on picture 1 and 2. as you can see on picture 4, there are probably 3 grokparsefailures. I was already able to fix one, namely the _grokparsefailure_sysloginput

I've adjusted my input as follows:

from

Code: Select all

syslog {
    type => 'asa'
    port => 6514
}

to

Code: Select all

tcp {
    type => 'asa'
    port => 6514
}

now I have the other two mistakes:

_grokparsefailure and _grokparsefailure_geoip

The cisco asa dashboard filters for the number 113019. When I search for the number and display the raw data, it looks like this:

Code: Select all

{
  "_index": "logstash-2021.05.09",
  "_type": "asa",
  "_id": "AXlP-9Xm7rqESgLwSkw7",
  "_score": null,
  "_source": {
    "message": "<172>%ASA-4-113019: Group = VPN-Clients, Username = username, IP = 79.201.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:13m:32s, Bytes xmt: 22555580, Bytes rcv: 5138697, Reason: User Requested",
    "@version": "1",
    "@timestamp": "2021-05-09T07:16:14.793Z",
    "host": "192.xxx.xxx.x",
    "port": 35527,
    "type": "asa",
    "tags": [
      "_grokparsefailure",
      "_geoip_lookup_failure"
    ],
    "geoip": [],
    "syslog_severity_code": 5,
    "syslog_facility_code": 1,
    "syslog_facility": "user-level",
    "syslog_severity": "notice"
  },
  "highlight": {
    "message": [
      "<172>%ASA-4-@start-highlight@113019@end-highlight@: Group = VPN-Clients, Username = username, IP = 79.201.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:13m:32s, Bytes xmt: 22555580, Bytes rcv: 5138697, Reason: User Requested"
    ]
  },
  "sort": [
    1620544574793,
    1620544574793
  ]
}

thanks for any help

shifty

shifty · Post by **shifty** » Sun May 09, 2021 11:53 am

I played around with the grog debugger and tested it. Here is my result:

Code: Select all

<172>%ASA-4-113019: Group = VPN-Clients, Username = testuser, IP = 11.11.11.11, Session disconnected. Session Type: SSL, Duration: 0h:18m:40s, Bytes xmt: 1484872, Bytes rcv: 373922, Reason: User Requested

Code: Select all

%{SYSLOG5424PRI}%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = %{WORD:Group}.*Username = %{WORD:username}.*IP = %{IP:IPAddress}.*Session disconnected.*Session Type: %{WORD:SessionType}.*Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s.*Bytes xmt: %{NUMBER:BytesTransmitted}.*Bytes rcv: %{NUMBER:BytesReceived}.*Reason: %{GREEDYDATA:Reason}

Result:

Code: Select all

{
  "SYSLOG5424PRI": [
    [
      "<172>"
    ]
  ],
  "syslog5424_pri": [
    [
      "172"
    ]
  ],
  "LogType": [
    [
      "ASA"
    ]
  ],
  "LogSeverity": [
    [
      "4"
    ]
  ],
  "LogMessageNumber": [
    [
      "113019"
    ]
  ],
  "Group": [
    [
      "VPN"
    ]
  ],
  "username": [
    [
      "testuser"
    ]
  ],
  "IPAddress": [
    [
      "11.11.11.11"
    ]
  ],
  "IPV6": [
    [
      null
    ]
  ],
  "IPV4": [
    [
      "11.11.11.11"
    ]
  ],
  "SessionType": [
    [
      "SSL"
    ]
  ],
  "DurationHours": [
    [
      "0"
    ]
  ],
  "BASE10NUM": [
    [
      "0",
      "1484872",
      "373922"
    ]
  ],
  "DurationMinutes": [
    [
      "18"
    ]
  ],
  "DurationSeconds": [
    [
      "40"
    ]
  ],
  "BytesTransmitted": [
    [
      "1484872"
    ]
  ],
  "BytesReceived": [
    [
      "373922"
    ]
  ],
  "Reason": [
    [
      "User Requested"
    ]
  ]
}

I tried to build a filter out of it, unfortunately without success:

Code: Select all

if [type] == 'asa' {
grok{
match => ['message', '%{SYSLOG5424PRI}%%{WORD:LogType}-%{INT:LogSeverity}-%{INT:LogMessageNumber}: Group = %{WORD:Group}, Username = %{WORD:username}, IP = %{IP:IPAddress}, Session disconnected. Session Type: %{WORD:SessionType}, Duration: %{NUMBER:DurationHours}h:%{INT:DurationMinutes}m:%{INT:DurationSeconds}s, Bytes xmt: %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}, Reason: %{GREEDYDATA:Reason}']
}
}

I have the feeling that there is a problem with the %{SYSLOG5424PRI}% and the <172> but I don't know. In addition, under Group =% {WORD: Group} only "VPN" is displayed instead of "VPN-clients"

thanks
Shifty

gsmith · Post by **gsmith** » Mon May 10, 2021 12:11 pm

hi

Use this to fix your Group:

(?<Group>\b[\w\-]+\b)

? means use regex <field name> \b is word boundary [\w\-] is all letters and add the char "-" \b is word boundary

Thanks

shifty · Post by **shifty** » Wed May 12, 2021 12:51 am

Hi gsmith,

thank you! That did the trick.
The last problem I have is that the bytes transmitted and bytes received graph do not show anything and give an error.

5.PNG

Code: Select all

ClassCastException[org.elasticsearch.index.fielddata.plain.DisabledIndexFieldData cannot be cast to org.elasticsearch.index.fielddata.IndexNumericFieldData]

Do you have a solution for this ?

many thanks
shifty

gsmith · Post by **gsmith** » Wed May 12, 2021 9:29 am

Hi,

Try changing %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}

to:
%{INT:BytesTransmitted}, Bytes rcv: %{INT:BytesReceived}

Let me know what happens

Thanks

shifty · Post by **shifty** » Wed May 12, 2021 2:02 pm

I now get the error

Code: Select all

ClassCastException

gsmith · Post by **gsmith** » Thu May 13, 2021 11:31 am

Hi,

It's something to do with the %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}

Since NUMBER and INT didn't work lets try WORD

*Bytes xmt: %{WORD:BytesTransmitted}.*Bytes rcv: %{WORD:BytesReceived}.*Reason: %{GREEDYDATA:Reason}

Let me know please....

shifty · Post by **shifty** » Fri May 14, 2021 2:00 am

Hi gsmith,

i tried

*Bytes xmt: %{WORD:BytesTransmitted}.*Bytes rcv: %{WORD:BytesReceived}

but it did not work. I rummaged through the forum again and found this thread

https://support.nagios.com/forum/viewto ... 38&t=58051

but that didn't work either

Tried so far:

Bytes xmt: %{NUMBER:BytesTransmitted}, Bytes rcv: %{NUMBER:BytesReceived}

Bytes xmt: %{NUMBER:BytesTransmitted:int}, Bytes rcv: %{NUMBER:BytesReceived:int}

Bytes xmt: %{INT:BytesTransmitted}, Bytes rcv: %{INT:BytesReceived}

Bytes xmt: %{INT:BytesTransmitted:int}, Bytes rcv: %{INT:BytesReceived:int}

But nothing worked

Nagios Support Forum

Cisco ASA Dashboard

Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard

Re: Cisco ASA Dashboard