[146697] in North American Network Operators' Group
Re: ASA log viewer
daemon@ATHENA.MIT.EDU (Duane Toler)
Sat Nov 19 20:48:23 2011
In-Reply-To: <CAHsqw9u0CFW6jW7ynYzyMs8dg-xhcMPDfzPQkzPXhgniprwpEg@mail.gmail.com>
Date: Sat, 19 Nov 2011 20:46:06 -0500
From: Duane Toler <detoler@gmail.com>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff <jof@thejof.com> wrote:
> On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler <detoler@gmail.com> wrote:
>>
>> Hey NANOG!
>>
>> My employer is deploying CIsco ASA firewalls to our clients
>> (specifically the 5505, 5510 for our smaller clients). =A0We are having
>> problems finding a decent log viewer. =A0Several products seem to mean
>> well, but they all fall short for various reasons. =A0We primarily use
>> Check Point firewalls, and for those of you with that experience, you
>> know the SmartViewer Tracker is quite powerful. =A0Is there anything
>> close to the flexibility and filtering capabilities of Check Point's
>> SmartView Tracker?
>>
>> For now, I've been dumping the logs via syslog with TLS using
>> syslog-ng to our server, but that is mediocre at best with varying
>> degrees of reliability. =A0The syslog-ng server then sends that to a
>> perl script to put that into a database. =A0That allows us to run our
>> monthly reports, but that doesn't help us with live or historical log
>> parsing and filtering (see above, re: SmartView Tracker).
>
> It sounds like you've already got a pretty good aggregation setup going,
> here. I've had great luck with UDP Syslog from devices to a site-local lo=
g
> aggregator that then ships off log streams to a central place over TCP (f=
or
> the WAN paths) and/or TLS/SSL.
> It sounds like you may have something similar going here, though I'd be
> curious to know where you've had this fall down reliability-wise.
We considered that, but didn't want to "burden" small customers with a
classic scenario of "ok well you have to have our other box in your
room" and have to deal with procurement, maintenance, upkeep,
monitoring, blah blah. Recent ASA code (8.3-ish, 8.4? i forget) had
syslog-tls built in and finally able to ship logs out across the
lowest security zone, which was quite a nice addition.
The break down is periodic log-reporting failures. After some
indeterminate time, the device seems to just "give up" and just not
send logs. Plus, it doesn't reconnect on a failure. I added a Nagios
check to monitor the state of things, so now I get notified in this
situation (or at least within a few minutes). When this does occur, I
ssh to the ASA and have to run the 'no logging enable' and then
'logging enable' to "jump start" it again. Sometime that's not even
enough and I have to remove the logging command for external syslog
and re-add it again.
It's very weird and quite spurious.
>>
>> If a customer called to help us troubleshoot connection issues over
>> the past few days, there's no way to review the logs and figure out
>> what happened back then. =A0Every CCIE we've talked to, and Cisco
>> themselves, seem to not care about firewall traffic logs or the
>> ability to parse and review them. =A0We know about Cisco Security
>> Center, but that seems incapable of handling logs, etc. =A0CS-MARS
>> would've been great, but that's overpriced and now discontinued
>> anyway. =A0We'd hate to spend the time writing our own app if there's a
>> viable product already available (we're willing to pay a reasonable
>> price for one, too).
>
> I don't know of any great commercial products, as I've only built homegro=
wn
> tools for various organizations. I'm curious though, what kinds of featur=
es
> are you looking for? Searching log data? Alerting on events based on log
> data?
> Cheers,
> jof
I'd like to fully search on an 'column', a la 'ladder logic' style.,
as well as have the data presented in an orderly well-defined fashion.
I know that sounded like the beginnings of "use XML!" but oh dear,
not XML, please. :) Poor syslog is just too flat and in a state of
general disarray. The bizarre arrangement of connection setup, NAT,
non-NAT, traffic destined to the device, originating from the device,
traffic routing across the to another zone, etc. ... it's very
nonsensical, verbose, and frankly maddening.
Best I can tell, the whole thing doesn't make any sense (and was a
bear to tease apart with regex).
I've gotten a few suggestions to check out Splunk, so I'll toss that
into the review pile and see how that works out. Thanks to the folks
who suggested that!
--
Duane Toler
detoler@gmail.com
