These Aren’t The Logs You’re Looking For

Continuing in a similar vein to the previous couple blog entries, I’m still nattering on about logs, logs from Cisco ASA devices and logs that I don’t much care about.

But this one is different.

I do care about ASA-4-106020 because it has some value, as it identifies, at the very last, something odd is afoot. Taken at face value, it is an alert about an IP teardrop fragment but otherwise could be an indication of other network chicanery worth at least a cursory investigation.

Despite this potential value, this particular log message lights up like a firework display on hot summer night when our vulnerability scans run and if you’ve learned anything at all from the previous blogs you’ll know that I’m not a huge fan of noise.

But before I can kill it, I need to properly index it and as anyone running an ASA to a central location knows, these logs are a disaster if left in their raw state, this is where a proper extractor comes in.

What Do You Mean There’s No Grok Pattern?

Long story short, turns out I didn’t have a Grok pattern available for ASA-106020. So I smashed one together.

Now I have one, and so do you. Meet CISCOFW106020:

%{CISCOTIMESTAMP} %{WORD:hostname} : %%{CISCOTAG:cisco_tag}: %{CISCO_ACTION:action} %{WORD:protocol} %{GREEDYDATA:cisco_msg} %{IP:src_ip} to %{IP:dst_ip}

So to wrap this up with a bow, I’m using this Grok pattern with an input extractor in Graylog. The extractor is called CISCO106020 and has a single pattern %{CISCOFW106020} and I set it to only attempt extraction if the message contains the string %ASA-2-106020

The Grok pattern should work for Logstash as well, maybe with minor tweaks - YMMV and all that stuff.

Happy Logging!