{"id":244,"date":"2014-04-21T15:19:27","date_gmt":"2014-04-21T19:19:27","guid":{"rendered":"http:\/\/jackhanington.com\/blog\/?p=244"},"modified":"2015-06-15T14:14:28","modified_gmt":"2015-06-15T18:14:28","slug":"using-logstash-elasticsearch-and-kibana-for-cisco-asa-syslog-message-analysis","status":"publish","type":"post","link":"https:\/\/jackhanington.com\/blog\/2014\/04\/21\/using-logstash-elasticsearch-and-kibana-for-cisco-asa-syslog-message-analysis\/","title":{"rendered":"Using Logstash, Elasticsearch and Kibana for Cisco ASA Syslog Message Analysis."},"content":{"rendered":"<p>I originally wrote this as a comment on the Networking subreddit but I thought I would post this here in case anyone was curious on using open source tools for centralized logging.<\/p>\n<p>Originally we were using <a href=\"\/\/jackhanington.com\/blog\/2014\/03\/24\/simple-graylog2-install-on-ubuntu-12-04\/\">Graylog2<\/a> for message analysis but I recently found out about Kibana and it is substantially better. What this guide will do is help to transform raw syslog messages from your Cisco ASA like this&#8230;<\/p>\n<pre>&lt;182&gt;Apr 21 2014 11:51:03: %ASA-6-302014: Teardown TCP connection 9443865 for outside:123.456.789.10\/9058 to inside:10.20.30.40\/443 duration 0:00:20 bytes 3925 TCP FINs\\n<\/pre>\n<p>and filter them into this&#8230;<\/p>\n<pre>{\r\n \"_index\": \"logstash-2014.04.21\",\r\n \"_type\": \"cisco-fw\",\r\n \"_id\": \"I7yBKbUITHWxuMrAhaoNWQ\",\r\n \"_source\": {\r\n \"message\": \"&lt;182&gt;Apr 21 2014 11:51:03: %ASA-6-302014: Teardown TCP connection 9443865 for outside:123.456.789.10\/9058 to inside:10.20.30.40\/443 duration 0:00:20 bytes 3925 TCP FINs\\n\",\r\n \"@version\": \"1\",\r\n \"@timestamp\": \"2014-04-21T15:51:03.000Z\",\r\n \"type\": \"cisco-fw\",\r\n \"host\": \"10.20.30.1\",\r\n \"syslog_pri\": \"182\",\r\n \"timestamp\": \"Apr 21 2014 11:51:03\",\r\n \"ciscotag\": \"ASA-6-302014\",\r\n \"cisco_message\": \"Teardown TCP connection 9443865 for outside:123.456.789.10\/9058 to inside:10.20.30.40\/443 duration 0:00:20 bytes 3925 TCP FINs\",\r\n \"syslog_severity_code\": 6,\r\n \"syslog_facility_code\": 22,\r\n \"syslog_facility\": \"local6\",\r\n \"syslog_severity\": \"informational\",\r\n \"action\": \"Teardown\",\r\n \"protocol\": \"TCP\",\r\n \"connection_id\": \"9443865\",\r\n \"src_interface\": \"outside\",\r\n \"src_ip\": \"123.456.789.10\",\r\n \"src_port\": \"9058\",\r\n \"dst_interface\": \"inside\",\r\n \"dst_ip\": \"10.20.30.40\",\r\n \"dst_port\": \"443\",\r\n \"duration\": \"0:00:20\",\r\n \"bytes\": \"3925\",\r\n \"reason\": \"TCP FINs\",\r\n \"tags\": [\r\n \"GeoIP\"\r\n ]\r\n },\r\n \"sort\": [\r\n \"apr\",\r\n 1398095463000\r\n ]\r\n}<\/pre>\n<p>Using this newly created data, you can do things like see which IP is hitting your web servers the most, see which country is giving you the most traffic, see a graph of when your site is being accessed the most through out the day\u00a0etc.<\/p>\n<p><strong>Here&#8217;s my setup<\/strong><\/p>\n<ul>\n<li>Cisco ASA with <a href=\"\/\/jackhanington.com\/blog\/2014\/07\/30\/sysloging-cisco-asa-firewall\/\" target=\"_blank\">syslog turned on<\/a><\/li>\n<li>Windows server running <a style=\"font-style: normal;\" href=\"http:\/\/logstash.net\/\" target=\"_blank\">Logstash 1.40<\/a><\/li>\n<li>Ubuntu 12.04 running <a style=\"font-style: normal;\" href=\"http:\/\/www.elasticsearch.org\/\" target=\"_blank\">Elasticsearch <\/a>and <a style=\"font-style: normal;\" href=\"http:\/\/www.elasticsearch.org\/overview\/kibana\/\" target=\"_blank\">Kibana<\/a><\/li>\n<\/ul>\n<p>All three of these programs can be run on the same machine and also can be run on either OS (logstash &amp; elasticsearch are java based and kibana is just html\/js\/css so all you need is apache) but my setup (and this guide) is what is listed above.<\/p>\n<hr \/>\n<p><strong>Download GeoIP database<\/strong><\/p>\n<p>First thing I did was download a IP &#8211; Lat\/long database <a href=\"http:\/\/geolite.maxmind.com\/download\/geoip\/database\/GeoLiteCity.dat.gz\" target=\"_blank\">here. <\/a>This flat file database will be used by logstash to get the location of the IP addresses hitting the firewall so you can map hits like this&#8230;\u00a0<a href=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/bettermap1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-247\" src=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/bettermap1.png\" alt=\"bettermap\" width=\"938\" height=\"314\" srcset=\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/bettermap1.png 938w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/bettermap1-300x100.png 300w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/bettermap1-500x167.png 500w\" sizes=\"auto, (max-width: 938px) 100vw, 938px\" \/><\/a><\/p>\n<p>Unzip the file and remember where you put the GeoLiteCity.dat<\/p>\n<hr \/>\n<p><strong>Download Logstash\u00a0<\/strong><\/p>\n<p>Next I downloaded the latest version of <a href=\"http:\/\/logstash.net\">Logstash<\/a>. Unzip and throw somewhere on your computer.<\/p>\n<hr \/>\n<p><strong>Download and Install Elasticsearch\u00a0<\/strong><\/p>\n<p>Switch to you Ubuntu 12.04 LTS machine and open a terminal session (ctrl + alt + t) and enter these commands.<\/p>\n<pre> cd ~\r\n sudo apt-get update\r\n sudo apt-get install openjdk-7-jre-headless -y\r\n wget https:\/\/download.elasticsearch.org\/elasticsearch\/elasticsearch\/elasticsearch-1.3.1.deb\r\n sudo dpkg -i elasticsearch-1.3.1.deb<\/pre>\n<p>This will install java and Elasticsearch 1.3.1 on your machine.<\/p>\n<p>Next you need to configure up elasticsearch on your machine.<\/p>\n<pre>sudo sed -i -e 's|# cluster.name: elasticsearch|cluster.name: kibana|' \/etc\/elasticsearch\/elasticsearch.yml<\/pre>\n<p>Now you need to tell your machine to run elasticsearch on boot.<\/p>\n<pre>sudo update-rc.d elasticsearch defaults 95 10\r\nsudo service elasticsearch restart<\/pre>\n<hr \/>\n<p><strong>Installing Kibana<\/strong><\/p>\n<p>First you have to have Apache on your machine. There are plenty of guides on getting that set up if you are not familiar. Here is a good post about setting up Apache on Ubuntu.\u00a0<a href=\"http:\/\/aarvik.dk\/initial-web-server-setup-with-apache-mod_rewrite-and-virtual-host\/\">http:\/\/aarvik.dk\/initial-web-server-setup-with-apache-mod_rewrite-and-virtual-host\/<\/a><\/p>\n<p>Next, download Kibana <a href=\"https:\/\/download.elasticsearch.org\/kibana\/kibana\/kibana-3.0.1.zip\">here<\/a>.<\/p>\n<ol>\n<li>Extract your archive<\/li>\n<li>Open config.js in an editor<\/li>\n<li>Set the elasticsearch parameter to the fully qualified hostname of your Elasticsearch server<\/li>\n<li>Copy the contents of the extracted directory to your webserver<\/li>\n<li>Open your browser to kibana. (ex: http:\/\/127.0.0.1\/kibana3)<\/li>\n<\/ol>\n<hr \/>\n<p><strong>Logstash Configuration<\/strong><br \/>\n(Switch back to your Windows machine)<\/p>\n<p>Next I created the logstash config file (logstash needs to know how to filter the syslog messages for parsing). Here is my config file&#8230;<\/p>\n<pre>input {\r\n udp { \r\n port =&gt; 5544 ## change me to whatever you set your ASA syslog port to\r\n type =&gt; \"cisco-fw\"\r\n }\r\n}\r\n\r\nfilter {\r\n ####### Cisco FW ####\r\n if [type] == \"cisco-fw\" {\r\n grok {\r\n match =&gt; [\"message\", \"%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}\"]\r\n }\r\n # Parse the syslog severity and facility\r\n syslog_pri { }\r\n\r\n # Extract fields from the each of the detailed message types\r\n # The patterns provided below are included in core of LogStash 1.2.0.\r\n grok {\r\n match =&gt; [\r\n \"cisco_message\", \"%{CISCOFW106001}\",\r\n \"cisco_message\", \"%{CISCOFW106006_106007_106010}\",\r\n \"cisco_message\", \"%{CISCOFW106014}\",\r\n \"cisco_message\", \"%{CISCOFW106015}\",\r\n \"cisco_message\", \"%{CISCOFW106021}\",\r\n \"cisco_message\", \"%{CISCOFW106023}\",\r\n \"cisco_message\", \"%{CISCOFW106100}\",\r\n \"cisco_message\", \"%{CISCOFW110002}\",\r\n \"cisco_message\", \"%{CISCOFW302010}\",\r\n \"cisco_message\", \"%{CISCOFW302013_302014_302015_302016}\",\r\n \"cisco_message\", \"%{CISCOFW302020_302021}\",\r\n \"cisco_message\", \"%{CISCOFW305011}\",\r\n \"cisco_message\", \"%{CISCOFW313001_313004_313008}\",\r\n \"cisco_message\", \"%{CISCOFW313005}\",\r\n \"cisco_message\", \"%{CISCOFW402117}\",\r\n \"cisco_message\", \"%{CISCOFW402119}\",\r\n \"cisco_message\", \"%{CISCOFW419001}\",\r\n \"cisco_message\", \"%{CISCOFW419002}\",\r\n \"cisco_message\", \"%{CISCOFW500004}\",\r\n \"cisco_message\", \"%{CISCOFW602303_602304}\",\r\n \"cisco_message\", \"%{CISCOFW710001_710002_710003_710005_710006}\",\r\n \"cisco_message\", \"%{CISCOFW713172}\",\r\n \"cisco_message\", \"%{CISCOFW733100}\"\r\n ]\r\n }\r\n\r\n geoip {\r\n add_tag =&gt; [ \"GeoIP\" ]\r\n database =&gt; \"C:\\GeoLiteCity.dat\" ### Change me to location of GeoLiteCity.dat file\r\n source =&gt; \"src_ip\"\r\n }\r\n\r\n if [geoip][city_name] == \"\" { mutate { remove_field =&gt; \"[geoip][city_name]\" } }\r\n if [geoip][continent_code] == \"\" { mutate { remove_field =&gt; \"[geoip][continent_code]\" } }\r\n if [geoip][country_code2] == \"\" { mutate { remove_field =&gt; \"[geoip][country_code2]\" } }\r\n if [geoip][country_code3] == \"\" { mutate { remove_field =&gt; \"[geoip][country_code3]\" } }\r\n if [geoip][country_name] == \"\" { mutate { remove_field =&gt; \"[geoip][country_name]\" } }\r\n if [geoip][latitude] == \"\" { mutate { remove_field =&gt; \"[geoip][latitude]\" } }\r\n if [geoip][longitude] == \"\" { mutate { remove_field =&gt; \"[geoip][longitude]\" } }\r\n if [geoip][postal_code] == \"\" { mutate { remove_field =&gt; \"[geoip][postal_code]\" } }\r\n if [geoip][region_name] == \"\" { mutate { remove_field =&gt; \"[geoip][region_name]\" } }\r\n if [geoip][time_zone] == \"\" { mutate { remove_field =&gt; \"[geoip][time_zone]\" } }\r\n\r\n\r\n # Parse the date\r\n date {\r\n match =&gt; [\"timestamp\",\r\n \"MMM dd HH:mm:ss\",\r\n \"MMM d HH:mm:ss\",\r\n \"MMM dd yyyy HH:mm:ss\",\r\n \"MMM d yyyy HH:mm:ss\"\r\n ]\r\n }\r\n }\r\n ###### End of Cisco FW #######\r\n}\r\n\r\noutput {\r\n stdout { \r\n codec =&gt; json\r\n }\r\n\r\n elasticsearch_http {\r\n host =&gt; \"10.0.0.123\" # change me to the IP of your elasticsearch server\r\n }\r\n}<\/pre>\n<p>Change the geoip location and elasticsearch IP address in your config file<\/p>\n<pre>geoip {\r\n        add_tag =&gt; [ \"GeoIP\" ]\r\n         database =&gt; \"location of geolitecity.dat file. ex c:\\geolitecity.dat\"<\/pre>\n<p>and<\/p>\n<pre>elasticsearch_http { \r\n        host =&gt; \"IP of elasticsearch server\"<\/pre>\n<p>Save the config\u00a0file in your Logstash folder as config.conf.<\/p>\n<p>Next run Logstash with your newly created config file.<\/p>\n<pre>bin\\logstash.bat agent -f config.conf<\/pre>\n<p><a href=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-257\" src=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash.png\" alt=\"Logstash\" width=\"665\" height=\"328\" srcset=\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash.png 665w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash-300x147.png 300w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash-500x246.png 500w\" sizes=\"auto, (max-width: 665px) 100vw, 665px\" \/><\/a><\/p>\n<p>You might see warnings but you should not be seeing any errors<\/p>\n<hr \/>\n<p><strong>Cisco ASA configuration vis ASDM<\/strong><\/p>\n<p>Follow my guide <a href=\"\/\/jackhanington.com\/blog\/2014\/07\/30\/sysloging-cisco-asa-firewall\/\">here <\/a>to turn on syslogging on your ASA firewall. Set the IP to the IP address of the server running logstash and set the port to 5544 like in the logstash config file. I set my logging level to informational but you can set it to whatever level you want to log. Here is an explanation of the different logging levels with Cisco products.<\/p>\n<p><a href=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Severity.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-251\" src=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Severity.jpg\" alt=\"Cisco Severity\" width=\"1000\" height=\"765\" srcset=\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Severity.jpg 1000w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Severity-300x229.jpg 300w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Severity-392x300.jpg 392w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/a><\/p>\n<p>As soon as you apply the config in the ASA, you should immediately start seeing results in your logstash window because one of the outputs was set to <strong>stdout<\/strong>.<\/p>\n<p><a href=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-258\" src=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash2.png\" alt=\"Logstash2\" width=\"662\" height=\"145\" srcset=\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash2.png 662w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash2-300x65.png 300w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Logstash2-500x109.png 500w\" sizes=\"auto, (max-width: 662px) 100vw, 662px\" \/><\/a><\/p>\n<p>The messages are also going to your elasticsearch server. Open your browser to kibana and read the getting started guides. Once you configure your dashboard, you should start seeing results like this.<\/p>\n<p><a href=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-259 size-large\" src=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp1-1024x467.png\" alt=\"Kibana-wp1\" width=\"840\" height=\"383\" srcset=\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp1-1024x467.png 1024w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp1-300x137.png 300w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp1-500x228.png 500w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp1.png 1891w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/a><\/p>\n<p><a href=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-260\" src=\"\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp2.png\" alt=\"Kibana-wp2\" width=\"640\" height=\"332\" srcset=\"https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp2.png 640w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp2-300x155.png 300w, https:\/\/jackhanington.com\/blog\/wp-content\/uploads\/2014\/04\/Kibana-wp2-500x259.png 500w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Here is my dashboard code in case you are curious. It shows a graph of message types, a map of hits, a graph of source and destination IPs, a histogram of messages per second and a list of the messages at the bottom.<\/p>\n<p>To get this to work in Kibana&#8230;<br \/>\n1. Copy all of the code below<br \/>\n2. Save it as a text file<br \/>\n3. Go to Kibana<br \/>\n4. Click the Load icon at the top right of the page<br \/>\n5. Click Advanced<br \/>\n6. Click choose file and pick the file you just saved.<\/p>\n<pre>{\r\n  \"title\": \"Logstash ASA\",\r\n  \"services\": {\r\n    \"query\": {\r\n      \"list\": {\r\n        \"0\": {\r\n          \"query\": \"cisco-fw\",\r\n          \"alias\": \"\",\r\n          \"color\": \"#7EB26D\",\r\n          \"id\": 0,\r\n          \"pin\": false,\r\n          \"type\": \"lucene\",\r\n          \"enable\": true\r\n        },\r\n        \"1\": {\r\n          \"id\": 1,\r\n          \"color\": \"#7EB26D\",\r\n          \"alias\": \"\",\r\n          \"pin\": false,\r\n          \"type\": \"lucene\",\r\n          \"enable\": true,\r\n          \"query\": \"severity informational\"\r\n        },\r\n        \"2\": {\r\n          \"id\": 2,\r\n          \"color\": \"#6ED0E0\",\r\n          \"alias\": \"\",\r\n          \"pin\": false,\r\n          \"type\": \"lucene\",\r\n          \"enable\": true,\r\n          \"query\": \"severity warning\"\r\n        },\r\n        \"3\": {\r\n          \"id\": 3,\r\n          \"color\": \"#EF843C\",\r\n          \"alias\": \"\",\r\n          \"pin\": false,\r\n          \"type\": \"lucene\",\r\n          \"enable\": true,\r\n          \"query\": \"severity error\"\r\n        },\r\n        \"4\": {\r\n          \"id\": 4,\r\n          \"color\": \"#E24D42\",\r\n          \"alias\": \"\",\r\n          \"pin\": false,\r\n          \"type\": \"lucene\",\r\n          \"enable\": true,\r\n          \"query\": \"severity critical\"\r\n        },\r\n        \"5\": {\r\n          \"id\": 5,\r\n          \"color\": \"#1F78C1\",\r\n          \"alias\": \"\",\r\n          \"pin\": false,\r\n          \"type\": \"lucene\",\r\n          \"enable\": true,\r\n          \"query\": \"severity alert\"\r\n        },\r\n        \"6\": {\r\n          \"id\": 6,\r\n          \"color\": \"#BA43A9\",\r\n          \"alias\": \"\",\r\n          \"pin\": false,\r\n          \"type\": \"lucene\",\r\n          \"enable\": true,\r\n          \"query\": \"_grok\"\r\n        }\r\n      },\r\n      \"ids\": [\r\n        0,\r\n        1,\r\n        2,\r\n        3,\r\n        4,\r\n        5,\r\n        6\r\n      ]\r\n    },\r\n    \"filter\": {\r\n      \"list\": {\r\n        \"0\": {\r\n          \"type\": \"time\",\r\n          \"field\": \"@timestamp\",\r\n          \"from\": \"now-6h\",\r\n          \"to\": \"now\",\r\n          \"mandate\": \"must\",\r\n          \"active\": true,\r\n          \"alias\": \"\",\r\n          \"id\": 0\r\n        }\r\n      },\r\n      \"ids\": [\r\n        0\r\n      ]\r\n    }\r\n  },\r\n  \"rows\": [\r\n    {\r\n      \"title\": \"Graph\",\r\n      \"height\": \"350px\",\r\n      \"editable\": true,\r\n      \"collapse\": false,\r\n      \"collapsable\": true,\r\n      \"panels\": [\r\n        {\r\n          \"span\": 12,\r\n          \"editable\": true,\r\n          \"group\": [\r\n            \"default\"\r\n          ],\r\n          \"type\": \"histogram\",\r\n          \"mode\": \"count\",\r\n          \"time_field\": \"@timestamp\",\r\n          \"value_field\": null,\r\n          \"auto_int\": true,\r\n          \"resolution\": 100,\r\n          \"interval\": \"5m\",\r\n          \"fill\": 3,\r\n          \"linewidth\": 3,\r\n          \"timezone\": \"browser\",\r\n          \"spyable\": true,\r\n          \"zoomlinks\": true,\r\n          \"bars\": false,\r\n          \"stack\": false,\r\n          \"points\": false,\r\n          \"lines\": true,\r\n          \"legend\": true,\r\n          \"x-axis\": true,\r\n          \"y-axis\": true,\r\n          \"percentage\": false,\r\n          \"interactive\": true,\r\n          \"queries\": {\r\n            \"mode\": \"selected\",\r\n            \"ids\": [\r\n              1,\r\n              2,\r\n              3,\r\n              4,\r\n              5\r\n            ]\r\n          },\r\n          \"title\": \"Events over time\",\r\n          \"intervals\": [\r\n            \"auto\",\r\n            \"1s\",\r\n            \"1m\",\r\n            \"5m\",\r\n            \"10m\",\r\n            \"30m\",\r\n            \"1h\",\r\n            \"3h\",\r\n            \"12h\",\r\n            \"1d\",\r\n            \"1w\",\r\n            \"1M\",\r\n            \"1y\"\r\n          ],\r\n          \"options\": true,\r\n          \"tooltip\": {\r\n            \"value_type\": \"cumulative\",\r\n            \"query_as_alias\": true\r\n          },\r\n          \"scale\": 1,\r\n          \"y_format\": \"none\",\r\n          \"grid\": {\r\n            \"max\": null,\r\n            \"min\": 0\r\n          },\r\n          \"annotate\": {\r\n            \"enable\": false,\r\n            \"query\": \"*\",\r\n            \"size\": 20,\r\n            \"field\": \"_type\",\r\n            \"sort\": [\r\n              \"_score\",\r\n              \"desc\"\r\n            ]\r\n          },\r\n          \"pointradius\": 5,\r\n          \"show_query\": true,\r\n          \"legend_counts\": true,\r\n          \"zerofill\": true,\r\n          \"derivative\": false,\r\n          \"scaleSeconds\": true\r\n        },\r\n        {\r\n          \"error\": false,\r\n          \"span\": 6,\r\n          \"editable\": true,\r\n          \"type\": \"bettermap\",\r\n          \"loadingEditor\": false,\r\n          \"field\": \"geoip.location\",\r\n          \"size\": 2000,\r\n          \"spyable\": true,\r\n          \"tooltip\": \"_id\",\r\n          \"queries\": {\r\n            \"mode\": \"all\",\r\n            \"ids\": [\r\n              0,\r\n              1,\r\n              2,\r\n              3,\r\n              4,\r\n              5,\r\n              6\r\n            ]\r\n          },\r\n          \"title\": \"Firewall Hits\"\r\n        },\r\n        {\r\n          \"error\": false,\r\n          \"span\": 4,\r\n          \"editable\": true,\r\n          \"type\": \"terms\",\r\n          \"loadingEditor\": false,\r\n          \"field\": \"syslog_severity\",\r\n          \"exclude\": [],\r\n          \"missing\": true,\r\n          \"other\": true,\r\n          \"size\": 7,\r\n          \"order\": \"count\",\r\n          \"style\": {\r\n            \"font-size\": \"10pt\"\r\n          },\r\n          \"donut\": false,\r\n          \"tilt\": false,\r\n          \"labels\": true,\r\n          \"arrangement\": \"horizontal\",\r\n          \"chart\": \"bar\",\r\n          \"counter_pos\": \"above\",\r\n          \"spyable\": true,\r\n          \"queries\": {\r\n            \"mode\": \"all\",\r\n            \"ids\": [\r\n              0,\r\n              1,\r\n              2,\r\n              3,\r\n              4,\r\n              5,\r\n              6\r\n            ]\r\n          },\r\n          \"tmode\": \"terms\",\r\n          \"tstat\": \"total\",\r\n          \"valuefield\": \"\",\r\n          \"title\": \"Message Types\"\r\n        },\r\n        {\r\n          \"error\": false,\r\n          \"span\": 4,\r\n          \"editable\": true,\r\n          \"type\": \"terms\",\r\n          \"loadingEditor\": false,\r\n          \"field\": \"src_ip\",\r\n          \"exclude\": [],\r\n          \"missing\": false,\r\n          \"other\": false,\r\n          \"size\": 10,\r\n          \"order\": \"count\",\r\n          \"style\": {\r\n            \"font-size\": \"10pt\"\r\n          },\r\n          \"donut\": false,\r\n          \"tilt\": false,\r\n          \"labels\": true,\r\n          \"arrangement\": \"horizontal\",\r\n          \"chart\": \"bar\",\r\n          \"counter_pos\": \"above\",\r\n          \"spyable\": false,\r\n          \"queries\": {\r\n            \"mode\": \"all\",\r\n            \"ids\": [\r\n              0,\r\n              1,\r\n              2,\r\n              3,\r\n              4,\r\n              5,\r\n              6\r\n            ]\r\n          },\r\n          \"tmode\": \"terms\",\r\n          \"tstat\": \"total\",\r\n          \"valuefield\": \"\",\r\n          \"title\": \"Source IP\"\r\n        },\r\n        {\r\n          \"error\": false,\r\n          \"span\": 4,\r\n          \"editable\": true,\r\n          \"type\": \"terms\",\r\n          \"loadingEditor\": false,\r\n          \"field\": \"dst_ip\",\r\n          \"exclude\": [],\r\n          \"missing\": true,\r\n          \"other\": true,\r\n          \"size\": 10,\r\n          \"order\": \"count\",\r\n          \"style\": {\r\n            \"font-size\": \"10pt\"\r\n          },\r\n          \"donut\": false,\r\n          \"tilt\": false,\r\n          \"labels\": true,\r\n          \"arrangement\": \"horizontal\",\r\n          \"chart\": \"bar\",\r\n          \"counter_pos\": \"above\",\r\n          \"spyable\": true,\r\n          \"queries\": {\r\n            \"mode\": \"all\",\r\n            \"ids\": [\r\n              0,\r\n              1,\r\n              2,\r\n              3,\r\n              4,\r\n              5,\r\n              6\r\n            ]\r\n          },\r\n          \"tmode\": \"terms\",\r\n          \"tstat\": \"total\",\r\n          \"valuefield\": \"\",\r\n          \"title\": \"DESTINATION IP\"\r\n        }\r\n      ],\r\n      \"notice\": false\r\n    },\r\n    {\r\n      \"title\": \"Events\",\r\n      \"height\": \"350px\",\r\n      \"editable\": true,\r\n      \"collapse\": false,\r\n      \"collapsable\": true,\r\n      \"panels\": [\r\n        {\r\n          \"title\": \"All events\",\r\n          \"error\": false,\r\n          \"span\": 12,\r\n          \"editable\": true,\r\n          \"group\": [\r\n            \"default\"\r\n          ],\r\n          \"type\": \"table\",\r\n          \"size\": 100,\r\n          \"pages\": 5,\r\n          \"offset\": 0,\r\n          \"sort\": [\r\n            \"timestamp\",\r\n            \"desc\"\r\n          ],\r\n          \"style\": {\r\n            \"font-size\": \"9pt\"\r\n          },\r\n          \"overflow\": \"min-height\",\r\n          \"fields\": [\r\n            \"duration\",\r\n            \"cisco_message\",\r\n            \"geoip.location\",\r\n            \"direction\",\r\n            \"src_ip\",\r\n            \"dst_ip\",\r\n            \"timestamp\",\r\n            \"dst_port\",\r\n            \"syslog_severity\",\r\n            \"src_xlated_ip\",\r\n            \"src_mapped_ip\"\r\n          ],\r\n          \"localTime\": true,\r\n          \"timeField\": \"@timestamp\",\r\n          \"highlight\": [],\r\n          \"sortable\": true,\r\n          \"header\": true,\r\n          \"paging\": true,\r\n          \"spyable\": true,\r\n          \"queries\": {\r\n            \"mode\": \"all\",\r\n            \"ids\": [\r\n              0,\r\n              1,\r\n              2,\r\n              3,\r\n              4,\r\n              5,\r\n              6\r\n            ]\r\n          },\r\n          \"field_list\": true,\r\n          \"status\": \"Stable\",\r\n          \"trimFactor\": 300,\r\n          \"normTimes\": true,\r\n          \"all_fields\": false\r\n        }\r\n      ],\r\n      \"notice\": false\r\n    }\r\n  ],\r\n  \"editable\": true,\r\n  \"failover\": false,\r\n  \"index\": {\r\n    \"interval\": \"day\",\r\n    \"pattern\": \"[logstash-]YYYY.MM.DD\",\r\n    \"default\": \"NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED\",\r\n    \"warm_fields\": true\r\n  },\r\n  \"style\": \"dark\",\r\n  \"panel_hints\": true,\r\n  \"pulldowns\": [\r\n    {\r\n      \"type\": \"query\",\r\n      \"collapse\": false,\r\n      \"notice\": false,\r\n      \"query\": \"*\",\r\n      \"pinned\": true,\r\n      \"history\": [\r\n        \"_grok\",\r\n        \"severity alert\",\r\n        \"severity critical\",\r\n        \"severity error\",\r\n        \"severity warning\",\r\n        \"severity informational\",\r\n        \"cisco-fw\",\r\n        \"severity emergencie\",\r\n        \"severity emergencies\",\r\n        \"severity errors\"\r\n      ],\r\n      \"remember\": 10,\r\n      \"enable\": true\r\n    },\r\n    {\r\n      \"type\": \"filtering\",\r\n      \"collapse\": false,\r\n      \"notice\": true,\r\n      \"enable\": true\r\n    }\r\n  ],\r\n  \"nav\": [\r\n    {\r\n      \"type\": \"timepicker\",\r\n      \"collapse\": false,\r\n      \"notice\": false,\r\n      \"status\": \"Stable\",\r\n      \"time_options\": [\r\n        \"5m\",\r\n        \"15m\",\r\n        \"1h\",\r\n        \"6h\",\r\n        \"12h\",\r\n        \"24h\",\r\n        \"2d\",\r\n        \"7d\",\r\n        \"30d\"\r\n      ],\r\n      \"refresh_intervals\": [\r\n        \"5s\",\r\n        \"10s\",\r\n        \"30s\",\r\n        \"1m\",\r\n        \"5m\",\r\n        \"15m\",\r\n        \"30m\",\r\n        \"1h\",\r\n        \"2h\",\r\n        \"1d\"\r\n      ],\r\n      \"timefield\": \"@timestamp\",\r\n      \"now\": true,\r\n      \"filter_id\": 0,\r\n      \"enable\": true\r\n    }\r\n  ],\r\n  \"loader\": {\r\n    \"save_gist\": false,\r\n    \"save_elasticsearch\": true,\r\n    \"save_local\": true,\r\n    \"save_default\": true,\r\n    \"save_temp\": true,\r\n    \"save_temp_ttl_enable\": true,\r\n    \"save_temp_ttl\": \"30d\",\r\n    \"load_gist\": true,\r\n    \"load_elasticsearch\": true,\r\n    \"load_elasticsearch_size\": 20,\r\n    \"load_local\": true,\r\n    \"hide\": false\r\n  },\r\n  \"refresh\": false\r\n}\r\n<\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I originally wrote this as a comment on the Networking subreddit but I thought I would post this here in case anyone was curious on using open source tools for centralized logging. Originally we were using Graylog2 for message analysis but I recently found out about Kibana and it is substantially better. What this guide&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[20,3,40,4,54],"tags":[],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-blog","category-information-technology","category-networking","category-servers","category-software"],"_links":{"self":[{"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/comments?post=244"}],"version-history":[{"count":20,"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":370,"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/posts\/244\/revisions\/370"}],"wp:attachment":[{"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/media?parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/categories?post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jackhanington.com\/blog\/wp-json\/wp\/v2\/tags?post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}