ASA log viewer

Sun Nov 20 01:46:06 UTC 2011

On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff <jof at thejof.com> wrote:
> On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler <detoler at gmail.com> wrote:
>>
>> Hey NANOG!
>>
>> My employer is deploying CIsco ASA firewalls to our clients
>> (specifically the 5505, 5510 for our smaller clients).  We are having
>> problems finding a decent log viewer.  Several products seem to mean
>> well, but they all fall short for various reasons.  We primarily use
>> Check Point firewalls, and for those of you with that experience, you
>> know the SmartViewer Tracker is quite powerful.  Is there anything
>> close to the flexibility and filtering capabilities of Check Point's
>> SmartView Tracker?
>>
>> For now, I've been dumping the logs via syslog with TLS using
>> syslog-ng to our server, but that is mediocre at best with varying
>> degrees of reliability.  The syslog-ng server then sends that to a
>> perl script to put that into a database.  That allows us to run our
>> monthly reports, but that doesn't help us with live or historical log
>> parsing and filtering (see above, re: SmartView Tracker).
>
> It sounds like you've already got a pretty good aggregation setup going,
> here. I've had great luck with UDP Syslog from devices to a site-local log
> aggregator that then ships off log streams to a central place over TCP (for
> the WAN paths) and/or TLS/SSL.
> It sounds like you may have something similar going here, though I'd be
> curious to know where you've had this fall down reliability-wise.

We considered that, but didn't want to "burden" small customers with a
classic scenario of "ok well you have to have our other box in your
room" and have to deal with procurement, maintenance, upkeep,
monitoring, blah blah.  Recent ASA code (8.3-ish, 8.4? i forget) had
syslog-tls built in and finally able to ship logs out across the
lowest security zone, which was quite a nice addition.

The break down is periodic log-reporting failures. After some
indeterminate time, the device seems to just "give up" and just not
send logs.  Plus, it doesn't reconnect on a failure.  I added a Nagios
check to monitor the state of things, so now I get notified in this
situation (or at least within a few minutes).  When this does occur, I
ssh to the ASA and have to run the 'no logging enable' and then
'logging enable' to "jump start" it again.  Sometime that's not even
enough and I have to remove the logging  command for external syslog
and re-add it again.

It's very weird and quite spurious.

>>
>> If a customer called to help us troubleshoot connection issues over
>> the past few days, there's no way to review the logs and figure out
>> what happened back then.  Every CCIE we've talked to, and Cisco
>> themselves, seem to not care about firewall traffic logs or the
>> ability to parse and review them.  We know about Cisco Security
>> Center, but that seems incapable of handling logs, etc.  CS-MARS
>> would've been great, but that's overpriced and now discontinued
>> anyway.  We'd hate to spend the time writing our own app if there's a
>> viable product already available (we're willing to pay a reasonable
>> price for one, too).
>
> I don't know of any great commercial products, as I've only built homegrown
> tools for various organizations. I'm curious though, what kinds of features
> are you looking for? Searching log data? Alerting on events based on log
> data?
> Cheers,
> jof

I'd like to fully search on an 'column', a la 'ladder logic' style.,
as well as have the data presented in an orderly well-defined fashion.
 I know that sounded like the beginnings of "use XML!" but oh dear,
not XML, please. :)  Poor syslog is just too flat and in a state of
general disarray.  The bizarre arrangement of connection setup, NAT,
non-NAT, traffic destined to the device, originating from the device,
traffic routing across the to another zone, etc. ... it's very
nonsensical, verbose, and frankly maddening.

Best I can tell, the whole thing doesn't make any sense (and was a
bear to tease apart with regex).

I've gotten a few suggestions to check out Splunk, so I'll toss that
into the review pile and see how that works out.  Thanks to the folks
who suggested that!

--
Duane Toler
detoler at gmail.com