nanog mailing list archives
Re: ASA log viewer
From: Jonathan Lassoff <jof () thejof com>
Date: Sat, 19 Nov 2011 18:05:47 -0800
On Sat, Nov 19, 2011 at 5:46 PM, Duane Toler <detoler () gmail com> wrote:
On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff <jof () thejof com> wrote:On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler <detoler () gmail com> wrote:Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker).It sounds like you've already got a pretty good aggregation setup going, here. I've had great luck with UDP Syslog from devices to a site-locallogaggregator that then ships off log streams to a central place over TCP(forthe WAN paths) and/or TLS/SSL. It sounds like you may have something similar going here, though I'd be curious to know where you've had this fall down reliability-wise.We considered that, but didn't want to "burden" small customers with a classic scenario of "ok well you have to have our other box in your room" and have to deal with procurement, maintenance, upkeep, monitoring, blah blah. Recent ASA code (8.3-ish, 8.4? i forget) had syslog-tls built in and finally able to ship logs out across the lowest security zone, which was quite a nice addition.
Ah, this totally makes sense now. I can see why you'd want to use features that are already on your ASAs. Sounds like a bug to me, though. I wonder what Cisco calls syslog-tls though. Syslog-like packet bodies, over a TLS-wrapped TCP socket? Sorry to hear it's been so unreliable -- I guess that's why I'm biased towards just running generic PCs and open source software for this kind of stuff; when bugs happen, you're actually empowered to debug and fix problems. I'd like to fully search on an 'column', a la 'ladder logic' style.,
as well as have the data presented in an orderly well-defined fashion. I know that sounded like the beginnings of "use XML!" but oh dear, not XML, please. :) Poor syslog is just too flat and in a state of general disarray. The bizarre arrangement of connection setup, NAT, non-NAT, traffic destined to the device, originating from the device, traffic routing across the to another zone, etc. ... it's very nonsensical, verbose, and frankly maddening.
This does indeed sound like a good application for splunk. They have ways of defining custom logging formats that will parse out simple column and message types so that you can construct queries based on that information. There's some more information here in Splunk's docs on custom field extraction: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions Cheers, jof
Current thread:
- ASA log viewer Duane Toler (Nov 19)
- Re: ASA log viewer Jay Ashworth (Nov 19)
- Re: ASA log viewer Duane Toler (Nov 19)
- Re: ASA log viewer Jonathan Lassoff (Nov 19)
- Re: ASA log viewer Duane Toler (Nov 19)
- Re: ASA log viewer Mike Lyon (Nov 19)
- Re: ASA log viewer Beavis (Nov 19)
- Re: ASA log viewer Jonathan Lassoff (Nov 19)
- Re: ASA log viewer Duane Toler (Nov 19)
- Re: ASA log viewer Jonathan Lassoff (Nov 19)
- Re: ASA log viewer Duane Toler (Nov 19)
- Re: ASA log viewer Duane Toler (Nov 19)
- Re: ASA log viewer Jay Ashworth (Nov 19)
- <Possible follow-ups>
- Re: ASA log viewer Joel M Snyder (Nov 19)
- RE: ASA log viewer Joe Happe (Nov 20)
- RE: ASA log viewer jjanusze () wd-tek com (Nov 20)
- Re: ASA log viewer Duane Toler (Nov 20)
- Message not available
- Re: ASA log viewer Duane Toler (Nov 20)
- Re: ASA log viewer Jimmy Hess (Nov 20)
- Re: ASA log viewer PC (Nov 20)
- Re: ASA log viewer Duane Toler (Nov 21)
- RE: ASA log viewer Joe Happe (Nov 20)