%ASA-4-313005

It’s one thing to get your logs into your SIEM, and it’s a whole other thing to trim them down, sort them out, normalize them, enrich them and get them to the point where they actually do something useful for you.

I’ll not get into the gory details at present, but I did come across an ASA log today that I needed to run an extractor on and the GROK pattern I had available was not working out for me.

I’m working in Graylog, and while GROK is GROK, some of this might only apply to Graylog.

So the raw message coming into the syslog input from the ASA looks like this:

Jan 19 2021 15:56:44 RANDO_ASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src Outside55:10.10.10.10(LOCAL\dduck) dst inside:SERV02 (type 3, code 3) on Outside55 interface. Original IP payload: udp src SERV02/53 dst 10.10.10.10/57111.

The fly in the ointment was that hostnames were in the places where the GROK pattern expected to find only IP addresses, so I had to add a couple OR conditions.

Grok pattern

%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}((%{DATA:err_src_fwuser}))? dst %{DATA:err_dst_interface}:(%{IP:err_dst_ip}\|%{WORD:dst_host})((%{DATA:err_dst_fwuser}))? (type %{INT:err_icmp_type}, code %{INT:err_icmp_code}) on %{DATA:interface} interface. Original IP payload: %{WORD:protocol} src (%{IP:orig_src_ip}\|%{WORD:orig_src_host})/%{INT:orig_src_port}((%{DATA:orig_src_fwuser}))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}((%{DATA:orig_dst_fwuser}))?

Graylog Extractor

%{CISCOTIMESTAMP} %{WORD:hostname} : %%{CISCOTAG:ciscotag}: %{CISCOFW313005}