[146704] in North American Network Operators' Group
RE: ASA log viewer
daemon@ATHENA.MIT.EDU (jjanusze@wd-tek.com)
Sun Nov 20 09:24:53 2011
Date: Sun, 20 Nov 2011 09:23:29 -0500 (EST)
From: "jjanusze@wd-tek.com" <jjanusze@wd-tek.com>
To: Joe Happe <Joe.Happe@archlearning.com>
In-Reply-To: <B3EFDDF4FEB4EA4B860629A6EAB0A7B705632E27@SIDFWCRPMBX002.us.si.lan>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Reply-To: "jjanusze@wd-tek.com" <jjanusze@wd-tek.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The logging host command enables a secure connection via TLS, and to config=
ure
use of a TCP port for logging.
=C2=A0=C2=A0=C2=A0=C2=A0 e.g.,=C2=A0 interface_name syslog_ip[tcp/port] [em=
blem format] [secure]
Also, when you do a sho log, do you have the following set?
=C2=A0=C2=A0=C2=A0=C2=A0 Deny Conn when Queue Full: disabled
=C2=A0
On November 20, 2011 at 7:42 AM Joe Happe <Joe.Happe@archlearning.com> wrot=
e:
> Completely agree with splunk for log searching / analysis, even has some
> ASA/PIX modules.=C2=A0 Please note, unless something has changed that I c=
ompletely
> missed, an ASA/PIX will stop forwarding user traffic if it is configured =
for
> tcp syslogs and the connection breaks.=C2=A0 (no more disk, network issue=
, etc)
> This is based on the premise that a system cannot be considered secure if=
the
> audit trail is unavailable, and tcp syslogging(vs udp) is usually used to=
make
> sure you don't miss an entry due to a dropped packet.=C2=A0 Something tha=
t dates
> back to the old C2 security standard??(not sure of the current version).=
=C2=A0
> =C2=A0Typically this requires admin intervention (by design) to clear the
> condition.=C2=A0 =C2=A0If you use udp for syslog the ASA won't be in this=
mode, and you
> won't block traffic if syslog fails.=C2=A0 With that said, there may be a=
command
> I'm unaware of that allows a tcp syslog to fail and not block traffic.=C2=
=A0
>
> ~jdh
>
> -----Original Message-----
> From: Joel M Snyder [mailto:Joel.Snyder@Opus1.COM]
> Sent: Sunday, November 20, 2011 12:11 AM
> To: nanog@nanog.org
> Subject: Re: ASA log viewer
>
>=C2=A0 >I'd like to fully search on an 'column', a la 'ladder logic' style=
.,=C2=A0 >as
>well as have the data presented in an orderly well-defined fashion.
>
> Yes, Splunk.
>
> See:
> http://www.networkworld.com/reviews/2011/092611-splunk-test-250836.html
>
> for a recent Network World test of Splunk which may help.
>
> jms
>
>
> --
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Senior Partner, Opus One=C2=A0 =C2=A0 =C2=A0 =C2=A0Phone: +1 520 324 0494
> jms@Opus1.COM=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http=
://www.opus1.com/jms
>
> _________________________________________________________________________=
_____________________________
>
> The information contained in this electronic message and any attachments =
is
> confidential,
> is for the sole use of the intended recipient(s) and may contain privileg=
ed
> information.
> Any unauthorized review, use, disclosure or distribution is prohibited. I=
f you
> are not the
> intended recipient, you must not read, use or disseminate the information=
, and
> should immediately
> contact the sender by reply email and destroy all copies of the original
> message.
> >
>
