Parsing ASA logs, slight ranting, and I need a hug or something

[lonelyadmin]

TL;DR How do I get SO to analyze the logs it receives via syslog and properly analyze them and create alerts? For ASA logs, how do I ensure proper threat analysis is being performed?

...

I've never felt more defeated. I'm wondering if I'm using the correct tool for what I'm trying to accomplish. Ok, maybe that's over the top.

I'm attempting to take all of these logging and analysis tools scattered across my environment and replace them with one comprehensive tool which handles all of the log collection and packet capture and does analysis and alerting of everything thrown at it. So I'm replacing things like syslog server clusters, snort boxes, half-assed windows eventlog analyzers, home-grown analysis tools (ahem, perl scripts with fancy regexes), argus archivers, etc.

So I have a manager, several sensors (one on each ESX host), and several search nodes. Each sensor gets the traffic from each esx host's promisc mode voodoo virtual switch thing and the search nodes and manager show that data in alerts. Yay. I've subscribed to ET Pro. I've installed Wazuh on a few endpoints. I can see the info in alerts. Most alerts aren't really things that require immediate attention, but are good for reference...not really how I should be using them. 5 million event log ID 4674 because chrome is stoopid on Win10...how do I go about ignoring this for certain processes? Anyways, the data is getting into SO and being analyzed, great, now I just have to figure out how to use this all.

An item of most interest to me is pointing my network gear (mostly cisco firewalls and switches) syslog output to my SO sensors and be able to get some realtime analysis of traffic. With the help of a few posts here and reading the docs I was able to get that done...well at least getting the logs to SO. I have absolutely no idea how to get this thing to alert me when the firewall is getting hammered, or there's some critical event on a switch.

Clicking through kibana, I can find my syslogs under "discover", so I know they're getting seen by something. Clicking around in there I found an option that mentioned installing a cisco filebeat module (Home->Add data->Security->Cisco)...I thought this might magically parse these Cisco logs so head over here and search "filebeat enable module" and it looks like I'd kinda be breaking SO to make this work. here and here .

So am I trying to do something that this really isn't meant to do? How do I go about getting useful analysis of various network gear syslogs? I feel like I'm close to making this thing the FOSS SIEM that I know it can be, I just killed too many brain cells in my younger years to do it on my own.

[TOoSmOotH]

You need to write an ingest parser for the data you want to bring in. Check https://docs.securityonion.net/en/2.3/elasticsearch.html?highlight=ingest%20parsing#parsing Once you have it parsing properly you can set up an elastalert rule to alert on whatever field/condition you like.

[lonelyadmin]

Should I be using this https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-cisco.html ?