Reading Time: 0 minutes, 28 secs

Graylog2 Cisco ASA / Cisco Catalyst

In order to correctly log Cisco device in Graylog2 setup the below configuration.

This has now been added to the Graylog Marketplace https://marketplace.graylog.org/

Cisco ASA Configuration:

Create a Raw/PlainText input with the settings you require.

Then select action -> Manage Extractors.

Now select actions -> Import Extractors, in the box add the below configuration. This will format the messages correctly with the IP Address of the firewall as the source.

If you would like the Source to be the IP Address Change this line:

To this:

16 Likes
14 Comments.
  1. Great stuff! Would you mind adding this to http://marketplace.graylog.org/ for greater visibility? Thank you so much. 🙂

  2. Boyan

    Hi,
    I applied the extractor referenced above to an input of type “Syslog UDP” and I did not see any results at all. If that a matter of the input type NOT being RAW?

    Thanks

  3. erjol

    hi,
    I applied the extractor but I don’t see the ip address as the source, instead I see something like %ASA-4-106023:.
    Do you have any idea why it might happen?

    thanks.

    • that happens when you havent run the command “logging device-id hostname” once done you should see that working.

  4. ertzu

    Hey!
    I want to import the extractors but I keep getting this error:
    Import operation completed
    Import results: 0 extractor(s) imported, 9 error(s).
    Do you know why?

    • hey,

      not sure why this is happening without more specific errors, sorry I couldn’t help more…

      Steve

  5. d3r3cat3d

    Does “facility” need to be listed twice in your code? Starts at both lines 15 and 34.
    },
    “extractor_type”: “regex”,
    “order”: 0,
    “source_field”: “message”,
    “target_field”: “facility”,
    “title”: “Facility”
    },

    -d3r3cat3d

  6. Chris

    Thanks for making this, it helped me get started on an ASA extractor nicely!
    FYI: the code on this page works when pasted into the Graylog extractor import form. But, it seems like the code on this page was never pushed to Github… the version on the Graylog Marketplace will not import.
    Also, out of curiousity, are you still using Graylog?
    I’m testing it out and having nothing but trouble…. how much work does this end up being?

    • Hi Chris,

      The source on GitHub is the latest version, I have just tested it and it has imported fine into Graylog. This article is now showing the same version of code.

      If you use the appliance its quite easy to setup and use, for small installs ive had no problems since the new version was released. I do still use Graylog when needed but I dont have it running unless im troubleshooting issues as i have not requirement to run it 24/7

  7. Boyan Biandov

    Hi, I think this is great work. Thank you. However I’m probably missing something? Of what use are those fields if the key things aren’t extracted; key things meaning source IP and port and destination IP and port? Those would reconstruct the flows and IMHO are the most useful pieces of info that the ASA would log via syslog messages.

    • This extractor is provided as a basic extractor that works, if you would like to do other extractions with this you would need to customise it. This is just to help with the base configuration.

Leave a Comment.