Thank you. This worked great.
I can see the messages, etc, were you able to figure out how to extract the source & destination ip addresses from the build connection, teardown connectin & deny connection entries? David Coleman Rayonier Advanced Materials 904-357-9104 - Office This message, together with any attachments, is intended only for the use of the individual or entity to which it is addressed and may contain information that is legally privileged, confidential, and exempt from disclosure. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message, or any attachment, is strictly prohibited. If you have received this message in error, please notify the originator immediately by telephone or by return E-mail and delete this message, along with any attachments, from your computer. 1301 Riverplace Blvd Suite 2300 Jacksonville, FL 32207 On Fri, Nov 18, 2016 at 3:08 PM, Jamie P <jamiecpar...@gmail.com> wrote: > Hey David, > > I used this ASA content pack on my graylog instance and does a good job, > imo. https://marketplace.graylog.org/addons/90396261-812c-4fa8- > ad8f-a17771c9f8e0 > > Just download the content pack, and save it on your machine. Then go to > "content packs" section in Graylog and upload. Once uploaded select the > content pack and choose "apply content pack". Make sure to send ASA logs > to the input that was created, and see if the logs are "formatted" to meet > your needs. > > Jamie P. > > On Wednesday, November 16, 2016 at 8:15:04 AM UTC-5, David Coleman wrote: >> >> Robert - were you ever able to get this fixed? >> Would you be willing to let me know how far you go and exactly what you >> did in graylog - there are two asa extractors in the marketplace - which >> one did you use? >> Thanks in advance for any info. >> >> >> On Wednesday, May 25, 2016 at 12:27:14 PM UTC-4, Robert Craig wrote: >>> >>> Will do, thanks. >>> >>> Robert >>> >>> On Wednesday, May 25, 2016 at 11:26:21 AM UTC-5, Jochen Schalanda wrote: >>>> >>>> Hi Robert, >>>> >>>> maybe the content packs from the Graylog Marketplace don't capture all >>>> message variants emitted by these Cisco devices. In this case, please open >>>> an issue with the authors of those content packs on GitHub. >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Wednesday, 25 May 2016 17:26:10 UTC+2, Robert Craig wrote: >>>>> >>>>> I guess I'm confused. Both the custom input and the extractor from the >>>>> marketplace are configured as Raw/Plaintext UDP under System/Inputs. What >>>>> else am I missing? >>>>> >>>>> >>>>> Robert >>>>> >>>>> On Wednesday, May 25, 2016 at 10:23:03 AM UTC-5, Jochen Schalanda >>>>> wrote: >>>>>> >>>>>> Hi Robert, >>>>>> >>>>>> as I said, Cisco appliances aren't sending proper syslog messages. >>>>>> Please use Raw/Plaintext input instead of a Syslog input and use >>>>>> extractors >>>>>> to transform those messages accordingly. >>>>>> >>>>>> Cheers, >>>>>> Jochen >>>>>> >>>>>> On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: >>>>>>> >>>>>>> The only extractor in there for Cisco is Catalyst and ASA, both of >>>>>>> which I am running. Any other ideas? >>>>>>> >>>>>>> Robert >>>>>>> >>>>>>> On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen Schalanda >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Robert, >>>>>>>> >>>>>>>> Cisco appliances don't send valid syslog messages. Please take a >>>>>>>> look at the extractors functionality in Graylog: >>>>>>>> http://docs.graylog.org/en/2.0/pages/extractors.html >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jochen >>>>>>>> >>>>>>>> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>>>>>>>> >>>>>>>>> I've installed two variations of Cisco extractors on Graylog2 (one >>>>>>>>> from marketplace and other from random blog I found). The Source IP >>>>>>>>> displays correctly, but it seems not all of the actual syslog message >>>>>>>>> is >>>>>>>>> displayed. >>>>>>>>> >>>>>>>>> Example: >>>>>>>>> I see this in Graylog >>>>>>>>> 22] at 09:36:18 CDT Wed May 25 2016 >>>>>>>>> >>>>>>>>> But it should be this >>>>>>>>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: >>>>>>>>> X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>>>>>>>> >>>>>>>>> Is there anything I can tweak to overcome this issue? Thanks for >>>>>>>>> any help. >>>>>>>>> >>>>>>>>> Robert >>>>>>>>> >>>>>>>> -- > You received this message because you are subscribed to a topic in the > Google Groups "Graylog Users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/graylog2/lbU44rhnsZM/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > graylog2+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/graylog2/4a9e7ed0-2a06-409b-bad8-65241b59bf04%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/4a9e7ed0-2a06-409b-bad8-65241b59bf04%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CABg1HD2JrRiARn8YDcCEptsu%2B8QdheWN_gYqkcTKGXTK900K%2Bw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
