They should be extracted already into the message field. I did nothing outside of the steps I listed for all of them to show. Here is a Teardown icmp and a TCP messages I get (I changed the actual IPs with random IPs for security reasons).
message Teardown ICMP connection for faddr 127.0.0.1/0 gaddr Protege/514 laddr Protege/514 message Teardown dynamic TCP translation from Franklin-LAN-Data:127.0.0.1/58496 to Outside:1.1.1.1/37361 duration 0:00:30 On Monday, November 21, 2016 at 7:20:58 AM UTC-5, David Coleman wrote: > > Thank you. > > This worked great. > > I can see the messages, etc, were you able to figure out how to extract > the source & destination ip addresses from the build connection, teardown > connectin & deny connection entries? > > > > > David Coleman > Rayonier Advanced Materials > 904-357-9104 - Office > > This message, together with any attachments, is intended only for the use > of the individual or entity to which it is addressed and may contain > information that is legally privileged, confidential, and exempt from > disclosure. If you are not the intended recipient, you are hereby notified > that any dissemination, distribution, or copying of this message, or any > attachment, is strictly prohibited. If you have received this message in > error, please notify the originator immediately by telephone or by return > E-mail and delete this message, along with any attachments, from your > computer. > > > 1301 Riverplace Blvd > Suite 2300 > Jacksonville, FL 32207 > > > > On Fri, Nov 18, 2016 at 3:08 PM, Jamie P <[email protected] > <javascript:>> wrote: > >> Hey David, >> >> I used this ASA content pack on my graylog instance and does a good job, >> imo. >> https://marketplace.graylog.org/addons/90396261-812c-4fa8-ad8f-a17771c9f8e0 >> >> Just download the content pack, and save it on your machine. Then go to >> "content packs" section in Graylog and upload. Once uploaded select the >> content pack and choose "apply content pack". Make sure to send ASA logs >> to the input that was created, and see if the logs are "formatted" to meet >> your needs. >> >> Jamie P. >> >> On Wednesday, November 16, 2016 at 8:15:04 AM UTC-5, David Coleman wrote: >>> >>> Robert - were you ever able to get this fixed? >>> Would you be willing to let me know how far you go and exactly what you >>> did in graylog - there are two asa extractors in the marketplace - which >>> one did you use? >>> Thanks in advance for any info. >>> >>> >>> On Wednesday, May 25, 2016 at 12:27:14 PM UTC-4, Robert Craig wrote: >>>> >>>> Will do, thanks. >>>> >>>> Robert >>>> >>>> On Wednesday, May 25, 2016 at 11:26:21 AM UTC-5, Jochen Schalanda wrote: >>>>> >>>>> Hi Robert, >>>>> >>>>> maybe the content packs from the Graylog Marketplace don't capture all >>>>> message variants emitted by these Cisco devices. In this case, please >>>>> open >>>>> an issue with the authors of those content packs on GitHub. >>>>> >>>>> Cheers, >>>>> Jochen >>>>> >>>>> On Wednesday, 25 May 2016 17:26:10 UTC+2, Robert Craig wrote: >>>>>> >>>>>> I guess I'm confused. Both the custom input and the extractor from >>>>>> the marketplace are configured as Raw/Plaintext UDP under System/Inputs. >>>>>> What else am I missing? >>>>>> >>>>>> >>>>>> Robert >>>>>> >>>>>> On Wednesday, May 25, 2016 at 10:23:03 AM UTC-5, Jochen Schalanda >>>>>> wrote: >>>>>>> >>>>>>> Hi Robert, >>>>>>> >>>>>>> as I said, Cisco appliances aren't sending proper syslog messages. >>>>>>> Please use Raw/Plaintext input instead of a Syslog input and use >>>>>>> extractors >>>>>>> to transform those messages accordingly. >>>>>>> >>>>>>> Cheers, >>>>>>> Jochen >>>>>>> >>>>>>> On Wednesday, 25 May 2016 17:12:41 UTC+2, Robert Craig wrote: >>>>>>>> >>>>>>>> The only extractor in there for Cisco is Catalyst and ASA, both of >>>>>>>> which I am running. Any other ideas? >>>>>>>> >>>>>>>> Robert >>>>>>>> >>>>>>>> On Wednesday, May 25, 2016 at 10:04:30 AM UTC-5, Jochen Schalanda >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hi Robert, >>>>>>>>> >>>>>>>>> Cisco appliances don't send valid syslog messages. Please take a >>>>>>>>> look at the extractors functionality in Graylog: >>>>>>>>> http://docs.graylog.org/en/2.0/pages/extractors.html >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Jochen >>>>>>>>> >>>>>>>>> On Wednesday, 25 May 2016 16:39:40 UTC+2, Robert Craig wrote: >>>>>>>>>> >>>>>>>>>> I've installed two variations of Cisco extractors on Graylog2 >>>>>>>>>> (one from marketplace and other from random blog I found). The >>>>>>>>>> Source IP >>>>>>>>>> displays correctly, but it seems not all of the actual syslog >>>>>>>>>> message is >>>>>>>>>> displayed. >>>>>>>>>> >>>>>>>>>> Example: >>>>>>>>>> I see this in Graylog >>>>>>>>>> 22] at 09:36:18 CDT Wed May 25 2016 >>>>>>>>>> >>>>>>>>>> But it should be this >>>>>>>>>> %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: rlcadm] [Source: >>>>>>>>>> X.X.X.X] [localport: 22] at 09:37:43 CDT Wed May 25 2016 >>>>>>>>>> >>>>>>>>>> Is there anything I can tweak to overcome this issue? Thanks for >>>>>>>>>> any help. >>>>>>>>>> >>>>>>>>>> Robert >>>>>>>>>> >>>>>>>>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Graylog Users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/graylog2/lbU44rhnsZM/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/4a9e7ed0-2a06-409b-bad8-65241b59bf04%40googlegroups.com >> >> <https://groups.google.com/d/msgid/graylog2/4a9e7ed0-2a06-409b-bad8-65241b59bf04%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/38d8dac8-63a2-4d06-bbf7-3b31214b7186%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
