Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Cisco ASA Syslog Messages (http://www.velocityreviews.com/forums/t539744-cisco-asa-syslog-messages.html)

phir0002@comcast.net 09-25-2007 01:50 AM

Cisco ASA Syslog Messages
 
We recently purchased a piece of software that is going to inspect our
syslog log files and alert us based on specific queries. The software
however was not written to read Cisco syslog specifically so we have
to define pretty tightly what we want to alert on. I have been
reviewing the documentation regarding the ASA/PIX syslog format and it
seems helpful except there are so many damn messages and message
types.

Does anyone have any suggestions regarding what things to specifically
look for in the logs. I know this is a very vague question and I know
a lot of it is based on the position and functionality of our ASAs,
but what I am really more looking for perhaps are some guidelines or
perhaps a sample of what others are doing. Perhaps there is some
documentation other than the massive list of all messages that might
lend some guidance?

The problem in theory of course is that I can look through our current
logs and identify items to be alerted against, but how does one
anticipate what is going to be in the logs when an actual security
attack/emergency occurs.

Any help is greatly appreciated.

Merv 09-25-2007 09:14 AM

Re: Cisco ASA Syslog Messages
 
On Sep 24, 9:50 pm, phir0...@comcast.net wrote:
> We recently purchased a piece of software that is going to inspect our
> syslog log files and alert us based on specific queries. The software
> however was not written to read Cisco syslog specifically so we have
> to define pretty tightly what we want to alert on. I have been
> reviewing the documentation regarding the ASA/PIX syslog format and it
> seems helpful except there are so many damn messages and message
> types.
>
> Does anyone have any suggestions regarding what things to specifically
> look for in the logs. I know this is a very vague question and I know
> a lot of it is based on the position and functionality of our ASAs,
> but what I am really more looking for perhaps are some guidelines or
> perhaps a sample of what others are doing. Perhaps there is some
> documentation other than the massive list of all messages that might
> lend some guidance?
>
> The problem in theory of course is that I can look through our current
> logs and identify items to be alerted against, but how does one
> anticipate what is going to be in the logs when an actual security
> attack/emergency occurs.
>
> Any help is greatly appreciated.



take a look at some of the PIX syslog tools at

http://www.loganalysis.org/sections/...fic/index.html



Lenny 09-25-2007 09:54 AM

Re: Cisco ASA Syslog Messages
 
On Sep 24, 9:50 pm, phir0...@comcast.net wrote:
> We recently purchased a piece of software that is going to inspect our
> syslog log files and alert us based on specific queries. The software
> however was not written to read Cisco syslog specifically so we have
> to define pretty tightly what we want to alert on. I have been
> reviewing the documentation regarding the ASA/PIX syslog format and it
> seems helpful except there are so many damn messages and message
> types.
>
> Does anyone have any suggestions regarding what things to specifically
> look for in the logs. I know this is a very vague question and I know
> a lot of it is based on the position and functionality of our ASAs,
> but what I am really more looking for perhaps are some guidelines or
> perhaps a sample of what others are doing. Perhaps there is some
> documentation other than the massive list of all messages that might
> lend some guidance?
>
> The problem in theory of course is that I can look through our current
> logs and identify items to be alerted against, but how does one
> anticipate what is going to be in the logs when an actual security
> attack/emergency occurs.
>
> Any help is greatly appreciated.


I'm still trying to get my syslog to log ssh attempts and i have
everything on debug and i still dont see these attempts in syslog. :-
( what software are you using?

GNY


phir0002@comcast.net 09-25-2007 12:31 PM

Re: Cisco ASA Syslog Messages
 
On Tue, 25 Sep 2007 09:54:31 -0000, Lenny
<Leonard.Bernstein@gmail.com> wrote:

>On Sep 24, 9:50 pm, phir0...@comcast.net wrote:
>> We recently purchased a piece of software that is going to inspect our
>> syslog log files and alert us based on specific queries. The software
>> however was not written to read Cisco syslog specifically so we have
>> to define pretty tightly what we want to alert on. I have been
>> reviewing the documentation regarding the ASA/PIX syslog format and it
>> seems helpful except there are so many damn messages and message
>> types.
>>
>> Does anyone have any suggestions regarding what things to specifically
>> look for in the logs. I know this is a very vague question and I know
>> a lot of it is based on the position and functionality of our ASAs,
>> but what I am really more looking for perhaps are some guidelines or
>> perhaps a sample of what others are doing. Perhaps there is some
>> documentation other than the massive list of all messages that might
>> lend some guidance?
>>
>> The problem in theory of course is that I can look through our current
>> logs and identify items to be alerted against, but how does one
>> anticipate what is going to be in the logs when an actual security
>> attack/emergency occurs.
>>
>> Any help is greatly appreciated.

>
>I'm still trying to get my syslog to log ssh attempts and i have
>everything on debug and i still dont see these attempts in syslog. :-
>( what software are you using?
>
>GNY


We are using a product called EventTracker. It has a Cisco syslog
feature built in but the licensing for it was additional to the
standard license and the bosses did not want to shell out the cash. So
instead we are trying to use the flat file read feature of the
software to read the Kiwi syslog file and alert against adverse
messages within.

phir0002@comcast.net 09-25-2007 12:34 PM

Re: Cisco ASA Syslog Messages
 
On Tue, 25 Sep 2007 02:14:50 -0700, Merv <merv.hrabi@rogers.com>
wrote:

>On Sep 24, 9:50 pm, phir0...@comcast.net wrote:
>> We recently purchased a piece of software that is going to inspect our
>> syslog log files and alert us based on specific queries. The software
>> however was not written to read Cisco syslog specifically so we have
>> to define pretty tightly what we want to alert on. I have been
>> reviewing the documentation regarding the ASA/PIX syslog format and it
>> seems helpful except there are so many damn messages and message
>> types.
>>
>> Does anyone have any suggestions regarding what things to specifically
>> look for in the logs. I know this is a very vague question and I know
>> a lot of it is based on the position and functionality of our ASAs,
>> but what I am really more looking for perhaps are some guidelines or
>> perhaps a sample of what others are doing. Perhaps there is some
>> documentation other than the massive list of all messages that might
>> lend some guidance?
>>
>> The problem in theory of course is that I can look through our current
>> logs and identify items to be alerted against, but how does one
>> anticipate what is going to be in the logs when an actual security
>> attack/emergency occurs.
>>
>> Any help is greatly appreciated.

>
>
>take a look at some of the PIX syslog tools at
>
>http://www.loganalysis.org/sections/...fic/index.html
>


Thanks for the link, although some of those tools appear to be
helpful, I have been tasked with making the software we already have
work, which is why I am soliciting examples for configuration or
perhaps sample policies.

Thanks again though.

edward.petercon@gmail.com 10-16-2007 10:16 PM

Re: Cisco ASA Syslog Messages
 
Hi,

Perhaps it will be interesting. You can try Syslog Watcher by SnmpSoft
( http://www.snmpsoft.com ). It can interpret messages from Cisco IOS
and CatOS devices (if you install Vendor Pack addon). Vendor has
promised to add support for ASA/PIX soon.

/Edward


haimko 02-11-2010 12:38 AM

Log Analysis for PIX
 
have a look on the resources and tools for analyzing pix logs at
loganalysis.com

If you are interested in log management solution that look on XpoLog Center xpolog.com


All times are GMT. The time now is 06:39 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.