Enabling Elasticsearch/Kibana ingestion of Cisco IOS and ASA logs

1. Prerequisites

OS: Ubuntu 20.04 + Debian 12
Elastic Stack 8.x
Firewall open UDP ports 9001-9002, 9200, 5601

2. Install Elastic Stack

sudo mkdir -p /usr/share/keyrings
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | \
sudo gpg –dearmor -o /usr/share/keyrings/elastic-archive-keyring.gpg

echo “deb [signed-by=/usr/share/keyrings/elastic-archive-keyring.gpg] \
https://artifacts.elastic.co/packages/8.x/apt stable main” | \
sudo tee /etc/apt/sources.list.d/elastic-8.x.list

sudo apt update
sudo apt install elasticsearch kibana filebeat -y

3. Configure Elasticsearch
/etc/elasticsearch/elasticsearch.yml

cluster.name: homelab-cluster
node.name: es01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

network.host: 0.0.0.0
http.port: 9200

discovery.type: single-node
xpack.security.enabled: true

sudo systemctl enable –now elasticsearch
Test with curl -u elastic:<password>/var/log/elasticsearch/elasticsearch.log | tail -1 | awk ‘{print $11}’) https://localhost:9200 -k

4. Configure kibana

/etc/kibana/kibana.yml

server.host: “0.0.0.0”
elasticsearch.hosts: [“https://localhost:9200”]
elasticsearch.username: “kibana_system”
elasticsearch.password: “”
server.publicBaseUrl: “http://:5601”

5. Configure Filebeat

output.elasticsearch:
hosts: [“https://localhost:9200”]
username: “elastic”

password:<password>

sudo filebeat modules enable cisco
/etc/filebeat/modules.d/cisco.yml

module: cisco
asa:
enabled: true
var.syslog_host: 0.0.0.0
var.syslog_port: 9001
var.syslog_protocol: udp
var.syslog_listen_family: inet
ios:
enabled: true
var.syslog_host: 0.0.0.0
var.syslog_port: 9002
var.syslog_protocol: udp
var.syslog_listen_family: inet

sudo filebeat setup –index-management -E setup.template.enabled=true

sudo systemctl enable –now filebeat

sudo systemctl status filebeat

sudo tail -f /var/log/filebeat/filebeat

7. Configure Cisco Devices

ASA

conf t
logging enable
logging timestamp
logging facility 20
logging trap informational
logging host inside 192.168.0.10 udp/9001
exit

IOS Router / Switch

conf t
logging on
service timestamps log datetime msec
logging trap informational
logging host 192.168.0.10 transport udp port 9002
exit

verify with
sudo tcpdump -n udp port 9001 or port 9002