Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco ASA Syslog Messages

Reply
Thread Tools

Cisco ASA Syslog Messages

 
 
phir0002@comcast.net
Guest
Posts: n/a
 
      09-25-2007
We recently purchased a piece of software that is going to inspect our
syslog log files and alert us based on specific queries. The software
however was not written to read Cisco syslog specifically so we have
to define pretty tightly what we want to alert on. I have been
reviewing the documentation regarding the ASA/PIX syslog format and it
seems helpful except there are so many damn messages and message
types.

Does anyone have any suggestions regarding what things to specifically
look for in the logs. I know this is a very vague question and I know
a lot of it is based on the position and functionality of our ASAs,
but what I am really more looking for perhaps are some guidelines or
perhaps a sample of what others are doing. Perhaps there is some
documentation other than the massive list of all messages that might
lend some guidance?

The problem in theory of course is that I can look through our current
logs and identify items to be alerted against, but how does one
anticipate what is going to be in the logs when an actual security
attack/emergency occurs.

Any help is greatly appreciated.
 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      09-25-2007
On Sep 24, 9:50 pm, (E-Mail Removed) wrote:
> We recently purchased a piece of software that is going to inspect our
> syslog log files and alert us based on specific queries. The software
> however was not written to read Cisco syslog specifically so we have
> to define pretty tightly what we want to alert on. I have been
> reviewing the documentation regarding the ASA/PIX syslog format and it
> seems helpful except there are so many damn messages and message
> types.
>
> Does anyone have any suggestions regarding what things to specifically
> look for in the logs. I know this is a very vague question and I know
> a lot of it is based on the position and functionality of our ASAs,
> but what I am really more looking for perhaps are some guidelines or
> perhaps a sample of what others are doing. Perhaps there is some
> documentation other than the massive list of all messages that might
> lend some guidance?
>
> The problem in theory of course is that I can look through our current
> logs and identify items to be alerted against, but how does one
> anticipate what is going to be in the logs when an actual security
> attack/emergency occurs.
>
> Any help is greatly appreciated.



take a look at some of the PIX syslog tools at

http://www.loganalysis.org/sections/...fic/index.html


 
Reply With Quote
 
 
 
 
Lenny
Guest
Posts: n/a
 
      09-25-2007
On Sep 24, 9:50 pm, (E-Mail Removed) wrote:
> We recently purchased a piece of software that is going to inspect our
> syslog log files and alert us based on specific queries. The software
> however was not written to read Cisco syslog specifically so we have
> to define pretty tightly what we want to alert on. I have been
> reviewing the documentation regarding the ASA/PIX syslog format and it
> seems helpful except there are so many damn messages and message
> types.
>
> Does anyone have any suggestions regarding what things to specifically
> look for in the logs. I know this is a very vague question and I know
> a lot of it is based on the position and functionality of our ASAs,
> but what I am really more looking for perhaps are some guidelines or
> perhaps a sample of what others are doing. Perhaps there is some
> documentation other than the massive list of all messages that might
> lend some guidance?
>
> The problem in theory of course is that I can look through our current
> logs and identify items to be alerted against, but how does one
> anticipate what is going to be in the logs when an actual security
> attack/emergency occurs.
>
> Any help is greatly appreciated.


I'm still trying to get my syslog to log ssh attempts and i have
everything on debug and i still dont see these attempts in syslog. :-
( what software are you using?

GNY

 
Reply With Quote
 
phir0002@comcast.net
Guest
Posts: n/a
 
      09-25-2007
On Tue, 25 Sep 2007 09:54:31 -0000, Lenny
<(E-Mail Removed)> wrote:

>On Sep 24, 9:50 pm, (E-Mail Removed) wrote:
>> We recently purchased a piece of software that is going to inspect our
>> syslog log files and alert us based on specific queries. The software
>> however was not written to read Cisco syslog specifically so we have
>> to define pretty tightly what we want to alert on. I have been
>> reviewing the documentation regarding the ASA/PIX syslog format and it
>> seems helpful except there are so many damn messages and message
>> types.
>>
>> Does anyone have any suggestions regarding what things to specifically
>> look for in the logs. I know this is a very vague question and I know
>> a lot of it is based on the position and functionality of our ASAs,
>> but what I am really more looking for perhaps are some guidelines or
>> perhaps a sample of what others are doing. Perhaps there is some
>> documentation other than the massive list of all messages that might
>> lend some guidance?
>>
>> The problem in theory of course is that I can look through our current
>> logs and identify items to be alerted against, but how does one
>> anticipate what is going to be in the logs when an actual security
>> attack/emergency occurs.
>>
>> Any help is greatly appreciated.

>
>I'm still trying to get my syslog to log ssh attempts and i have
>everything on debug and i still dont see these attempts in syslog. :-
>( what software are you using?
>
>GNY


We are using a product called EventTracker. It has a Cisco syslog
feature built in but the licensing for it was additional to the
standard license and the bosses did not want to shell out the cash. So
instead we are trying to use the flat file read feature of the
software to read the Kiwi syslog file and alert against adverse
messages within.
 
Reply With Quote
 
phir0002@comcast.net
Guest
Posts: n/a
 
      09-25-2007
On Tue, 25 Sep 2007 02:14:50 -0700, Merv <(E-Mail Removed)>
wrote:

>On Sep 24, 9:50 pm, (E-Mail Removed) wrote:
>> We recently purchased a piece of software that is going to inspect our
>> syslog log files and alert us based on specific queries. The software
>> however was not written to read Cisco syslog specifically so we have
>> to define pretty tightly what we want to alert on. I have been
>> reviewing the documentation regarding the ASA/PIX syslog format and it
>> seems helpful except there are so many damn messages and message
>> types.
>>
>> Does anyone have any suggestions regarding what things to specifically
>> look for in the logs. I know this is a very vague question and I know
>> a lot of it is based on the position and functionality of our ASAs,
>> but what I am really more looking for perhaps are some guidelines or
>> perhaps a sample of what others are doing. Perhaps there is some
>> documentation other than the massive list of all messages that might
>> lend some guidance?
>>
>> The problem in theory of course is that I can look through our current
>> logs and identify items to be alerted against, but how does one
>> anticipate what is going to be in the logs when an actual security
>> attack/emergency occurs.
>>
>> Any help is greatly appreciated.

>
>
>take a look at some of the PIX syslog tools at
>
>http://www.loganalysis.org/sections/...fic/index.html
>


Thanks for the link, although some of those tools appear to be
helpful, I have been tasked with making the software we already have
work, which is why I am soliciting examples for configuration or
perhaps sample policies.

Thanks again though.
 
Reply With Quote
 
edward.petercon@gmail.com
Guest
Posts: n/a
 
      10-16-2007
Hi,

Perhaps it will be interesting. You can try Syslog Watcher by SnmpSoft
( http://www.snmpsoft.com ). It can interpret messages from Cisco IOS
and CatOS devices (if you install Vendor Pack addon). Vendor has
promised to add support for ASA/PIX soon.

/Edward

 
Reply With Quote
 
haimko haimko is offline
Junior Member
Join Date: Feb 2010
Posts: 2
 
      02-11-2010
have a look on the resources and tools for analyzing pix logs at
loganalysis.com

If you are interested in log management solution that look on XpoLog Center xpolog.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Syslog server for Cisco ASA 5510 NomadIndian Cisco 0 02-07-2011 04:32 PM
ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN Tilman Schmidt Cisco 5 02-18-2008 12:07 PM
perl 5.8.8 make test hangs on ext/Sys/Syslog/t/syslog................... indefinitely Bad Dog Perl Misc 0 08-09-2007 04:47 PM
is there any API available to implement Syslog server using Java (to capture all syslog messages - UDP protocol, port 514)? santa19992000@yahoo.com Java 2 06-20-2006 12:54 PM
Syslog replay script for centralized syslog host leroy isaac Perl Misc 1 10-29-2004 04:23 AM



Advertisments