Post

Graylog2 Cisco ASA / Cisco Catalyst

Posted Updated
By Steven Marks
1 min read
1421798400
1614629284
6

In order to correctly log Cisco device in Graylog2 setup the below configuration.

This has now been added to the Graylog Marketplace https://marketplace.graylog.org/

Cisco ASA Configuration:

1
2
3
4
5

logging enable
logging trap informational
logging asdm informational
logging device-id hostname
logging host <network> <ip-address> <udp-tcp>/<port>

Create a Raw/PlainText input with the settings you require.

Then select action -> Manage Extractors.

Now select actions -> Import Extractors, in the box add the below configuration. This will format the messages correctly with the IP Address of the firewall as the source.

If you would like the Source to be the IP Address Change this line:

1

"regex_value": ">(.+?)%"

To this:

1

"regex_value": "&gt;: (.+?):"

Cisco-ASA-Extractor.json

This post is licensed under CC BY 4.0 by the author.