Visualize the Cisco ASA FW log with Fluentd (td-agnet), which is popular as a log collection tool. Logs received by Fuentd are indexed by ElasticSearch and visualized by Kibana.
Fluentd plugin and settings
Since there was a developer who had already created with Fluentd's plugin, try using it.
https://github.com/rogeriobastos/fluent-plugin-cisco-asa-parsergithub.com
Unfortunately, this plugin cannot be installed with td-agent-gem install fluent-plugin-cisco-asa-parser. Therefore, put parser_cisco_asa.rb under /etc/td-agent/plugin/.
In my environment I use the forest plugin to increase versatility.
td-agent-gem install fluent-plugin-forest
The log reading setting is as follows. Transfer setting is appropriate.
<source> @type tail path /var/log/ASA5505.log pos_file /var/log/ASA5505.log.pos tag net.asa5505.CentOS-01 format cisco_asa </source>
Cisco ASA Logging Configuration
The Cisco ASA log output settings are as follows. (Excerpt)
I'm using Cisco ASA5505 OS: 9.2(3). It is set similarly in ASA series general, not ASA5505 specific setting.
logging enable logging timestamp logging trap informational logging host management 192.168.1.60
Failed to collect Logs...
In the plug-in above, it did not match the log format in my ASA (pattern not match), and the log was not collected.
Therefore, I will maintain my own plug-in.
Homebrew Cisco ASA Parser
I will continue to maintain it here. Please do not use in production environment, as it is being created. Please let me know if there is a plug-in as well as existing.
Even now it is possible to pick up various information like this. Excerpt from Discover screen of Elasticsearch + Kibana.
