Cisco ASA Syslog Messages

Discussion in 'Cisco' started by phir0002@comcast.net, Sep 25, 2007.

  1. Guest

    We recently purchased a piece of software that is going to inspect our
    syslog log files and alert us based on specific queries. The software
    however was not written to read Cisco syslog specifically so we have
    to define pretty tightly what we want to alert on. I have been
    reviewing the documentation regarding the ASA/PIX syslog format and it
    seems helpful except there are so many damn messages and message
    types.

    Does anyone have any suggestions regarding what things to specifically
    look for in the logs. I know this is a very vague question and I know
    a lot of it is based on the position and functionality of our ASAs,
    but what I am really more looking for perhaps are some guidelines or
    perhaps a sample of what others are doing. Perhaps there is some
    documentation other than the massive list of all messages that might
    lend some guidance?

    The problem in theory of course is that I can look through our current
    logs and identify items to be alerted against, but how does one
    anticipate what is going to be in the logs when an actual security
    attack/emergency occurs.

    Any help is greatly appreciated.
    , Sep 25, 2007
    #1
    1. Advertising

  2. Merv Guest

    On Sep 24, 9:50 pm, wrote:
    > We recently purchased a piece of software that is going to inspect our
    > syslog log files and alert us based on specific queries. The software
    > however was not written to read Cisco syslog specifically so we have
    > to define pretty tightly what we want to alert on. I have been
    > reviewing the documentation regarding the ASA/PIX syslog format and it
    > seems helpful except there are so many damn messages and message
    > types.
    >
    > Does anyone have any suggestions regarding what things to specifically
    > look for in the logs. I know this is a very vague question and I know
    > a lot of it is based on the position and functionality of our ASAs,
    > but what I am really more looking for perhaps are some guidelines or
    > perhaps a sample of what others are doing. Perhaps there is some
    > documentation other than the massive list of all messages that might
    > lend some guidance?
    >
    > The problem in theory of course is that I can look through our current
    > logs and identify items to be alerted against, but how does one
    > anticipate what is going to be in the logs when an actual security
    > attack/emergency occurs.
    >
    > Any help is greatly appreciated.



    take a look at some of the PIX syslog tools at

    http://www.loganalysis.org/sections/parsing/application-specific/index.html
    Merv, Sep 25, 2007
    #2
    1. Advertising

  3. Lenny Guest

    On Sep 24, 9:50 pm, wrote:
    > We recently purchased a piece of software that is going to inspect our
    > syslog log files and alert us based on specific queries. The software
    > however was not written to read Cisco syslog specifically so we have
    > to define pretty tightly what we want to alert on. I have been
    > reviewing the documentation regarding the ASA/PIX syslog format and it
    > seems helpful except there are so many damn messages and message
    > types.
    >
    > Does anyone have any suggestions regarding what things to specifically
    > look for in the logs. I know this is a very vague question and I know
    > a lot of it is based on the position and functionality of our ASAs,
    > but what I am really more looking for perhaps are some guidelines or
    > perhaps a sample of what others are doing. Perhaps there is some
    > documentation other than the massive list of all messages that might
    > lend some guidance?
    >
    > The problem in theory of course is that I can look through our current
    > logs and identify items to be alerted against, but how does one
    > anticipate what is going to be in the logs when an actual security
    > attack/emergency occurs.
    >
    > Any help is greatly appreciated.


    I'm still trying to get my syslog to log ssh attempts and i have
    everything on debug and i still dont see these attempts in syslog. :-
    ( what software are you using?

    GNY
    Lenny, Sep 25, 2007
    #3
  4. Guest

    On Tue, 25 Sep 2007 09:54:31 -0000, Lenny
    <> wrote:

    >On Sep 24, 9:50 pm, wrote:
    >> We recently purchased a piece of software that is going to inspect our
    >> syslog log files and alert us based on specific queries. The software
    >> however was not written to read Cisco syslog specifically so we have
    >> to define pretty tightly what we want to alert on. I have been
    >> reviewing the documentation regarding the ASA/PIX syslog format and it
    >> seems helpful except there are so many damn messages and message
    >> types.
    >>
    >> Does anyone have any suggestions regarding what things to specifically
    >> look for in the logs. I know this is a very vague question and I know
    >> a lot of it is based on the position and functionality of our ASAs,
    >> but what I am really more looking for perhaps are some guidelines or
    >> perhaps a sample of what others are doing. Perhaps there is some
    >> documentation other than the massive list of all messages that might
    >> lend some guidance?
    >>
    >> The problem in theory of course is that I can look through our current
    >> logs and identify items to be alerted against, but how does one
    >> anticipate what is going to be in the logs when an actual security
    >> attack/emergency occurs.
    >>
    >> Any help is greatly appreciated.

    >
    >I'm still trying to get my syslog to log ssh attempts and i have
    >everything on debug and i still dont see these attempts in syslog. :-
    >( what software are you using?
    >
    >GNY


    We are using a product called EventTracker. It has a Cisco syslog
    feature built in but the licensing for it was additional to the
    standard license and the bosses did not want to shell out the cash. So
    instead we are trying to use the flat file read feature of the
    software to read the Kiwi syslog file and alert against adverse
    messages within.
    , Sep 25, 2007
    #4
  5. Guest

    On Tue, 25 Sep 2007 02:14:50 -0700, Merv <>
    wrote:

    >On Sep 24, 9:50 pm, wrote:
    >> We recently purchased a piece of software that is going to inspect our
    >> syslog log files and alert us based on specific queries. The software
    >> however was not written to read Cisco syslog specifically so we have
    >> to define pretty tightly what we want to alert on. I have been
    >> reviewing the documentation regarding the ASA/PIX syslog format and it
    >> seems helpful except there are so many damn messages and message
    >> types.
    >>
    >> Does anyone have any suggestions regarding what things to specifically
    >> look for in the logs. I know this is a very vague question and I know
    >> a lot of it is based on the position and functionality of our ASAs,
    >> but what I am really more looking for perhaps are some guidelines or
    >> perhaps a sample of what others are doing. Perhaps there is some
    >> documentation other than the massive list of all messages that might
    >> lend some guidance?
    >>
    >> The problem in theory of course is that I can look through our current
    >> logs and identify items to be alerted against, but how does one
    >> anticipate what is going to be in the logs when an actual security
    >> attack/emergency occurs.
    >>
    >> Any help is greatly appreciated.

    >
    >
    >take a look at some of the PIX syslog tools at
    >
    >http://www.loganalysis.org/sections/parsing/application-specific/index.html
    >


    Thanks for the link, although some of those tools appear to be
    helpful, I have been tasked with making the software we already have
    work, which is why I am soliciting examples for configuration or
    perhaps sample policies.

    Thanks again though.
    , Sep 25, 2007
    #5
  6. Guest

    Hi,

    Perhaps it will be interesting. You can try Syslog Watcher by SnmpSoft
    ( http://www.snmpsoft.com ). It can interpret messages from Cisco IOS
    and CatOS devices (if you install Vendor Pack addon). Vendor has
    promised to add support for ASA/PIX soon.

    /Edward
    , Oct 16, 2007
    #6
  7. haimko

    Joined:
    Feb 11, 2010
    Messages:
    2
    Log Analysis for PIX

    have a look on the resources and tools for analyzing pix logs at
    loganalysis.com

    If you are interested in log management solution that look on XpoLog Center xpolog.com
    haimko, Feb 11, 2010
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mikester

    Syslog messages repeated

    mikester, Dec 3, 2003, in forum: Cisco
    Replies:
    2
    Views:
    8,404
    mikester
    Dec 4, 2003
  2. Marc
    Replies:
    4
    Views:
    554
  3. Tilman Schmidt
    Replies:
    5
    Views:
    18,556
    Lutz Donnerhacke
    Feb 18, 2008
  4. akshaydm

    ASA VPN Error - Syslog ID 713122

    akshaydm, Feb 24, 2009, in forum: Cisco
    Replies:
    0
    Views:
    1,576
    akshaydm
    Feb 24, 2009
  5. NomadIndian

    Syslog server for Cisco ASA 5510

    NomadIndian, Feb 7, 2011, in forum: Cisco
    Replies:
    0
    Views:
    1,382
    NomadIndian
    Feb 7, 2011
Loading...

Share This Page