Grafana alloy and Cisco ASA log setup

Grafana Alloy
1

Has anyone this working for Cisco ASA?

   listener {
    address       = "0.0.0.0:2514"
    protocol      = "udp"
    label_structured_data = false
    max_message_length    = 65536
    syslog_format = "rfc3164"
      rfc3164_cisco_components {
      enable_all = true
   }

Tried tons of options but no luck.
Syslog debug

rfc5424 format

13:36:24.897889 eth0 In IP 172.18.18.240.514 > 172.18.18.33.2514: SYSLOG local4.warning, length: 175

E…U…!.. …<164>2026-02-06T12:36:24Z: %ASA-4-722051: Group User <test@test.com IP <13.116.68.51> IPv4 Address <172.18.6.75> IPv6 address <::> assigned to session

Legacy format

13:40:58.227346 eth0 In IP 172.18.18.240.514 > 172.18.18.33.2514: SYSLOG local4.warning, length: 175

E…T…!.. …<164>Feb 06 2026 13:40:58: %ASA-4-722051: Group User test@test.com IP <13.116.68.51> IPv4 Address <172.18.6.76> IPv6 address <::> assigned to session

Alloy debug: with legacy timestamp. rfc5424 doesnt give any errors but also nothing in loki.

ts=2026-02-06T12:39:04.302418847Z level=warn msg=“error parsing syslog stream” component_path=/ component_id=loki.source.syslog.ciscoasa err=“expecting a Stamp timestamp [col 9]”

Weekly Community Recap - 9 Feb
2

I ran into this when trying to incorporate my switches. The problem is when you turn certain features on the Cisco devices, it doesn’t label it in an order that alloy expects it. Look at the documentation and play with the features. What I had to do was disable sequence numbers in the config.alloy and on the switches.