[146703] in North American Network Operators' Group
RE: ASA log viewer
daemon@ATHENA.MIT.EDU (Joe Happe)
Sun Nov 20 07:43:58 2011
From: Joe Happe <Joe.Happe@archlearning.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Sun, 20 Nov 2011 12:42:42 +0000
In-Reply-To: <4EC899E6.3060606@opus1.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Completely agree with splunk for log searching / analysis, even has some AS=
A/PIX modules. Please note, unless something has changed that I completely=
missed, an ASA/PIX will stop forwarding user traffic if it is configured f=
or tcp syslogs and the connection breaks. (no more disk, network issue, et=
c) This is based on the premise that a system cannot be considered secure i=
f the audit trail is unavailable, and tcp syslogging(vs udp) is usually use=
d to make sure you don't miss an entry due to a dropped packet. Something =
that dates back to the old C2 security standard??(not sure of the current v=
ersion). Typically this requires admin intervention (by design) to clear =
the condition. If you use udp for syslog the ASA won't be in this mode, a=
nd you won't block traffic if syslog fails. With that said, there may be a=
command I'm unaware of that allows a tcp syslog to fail and not block traf=
fic. =20
~jdh
-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder@Opus1.COM]=20
Sent: Sunday, November 20, 2011 12:11 AM
To: nanog@nanog.org
Subject: Re: ASA log viewer
>I'd like to fully search on an 'column', a la 'ladder logic' style., >as=
well as have the data presented in an orderly well-defined fashion.
Yes, Splunk.
See:
http://www.networkworld.com/reviews/2011/092611-splunk-test-250836.html
for a recent Network World test of Splunk which may help.
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms@Opus1.COM http://www.opus1.com/jms
_________________________________________________________________________=
_____________________________
The information contained in this electronic message and any attachments =
is confidential, =
is for the sole use of the intended recipient(s) and may contain privileg=
ed information. =
Any unauthorized review, use, disclosure or distribution is prohibited. I=
f you are not the =
intended recipient, you must not read, use or disseminate the information=
, and should immediately =
contact the sender by reply email and destroy all copies of the original =
message.
=0D
