On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff <[email protected]> wrote: > On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler <[email protected]> wrote: >> >> Hey NANOG! >> >> My employer is deploying CIsco ASA firewalls to our clients >> (specifically the 5505, 5510 for our smaller clients). We are having >> problems finding a decent log viewer. Several products seem to mean >> well, but they all fall short for various reasons. We primarily use >> Check Point firewalls, and for those of you with that experience, you >> know the SmartViewer Tracker is quite powerful. Is there anything >> close to the flexibility and filtering capabilities of Check Point's >> SmartView Tracker? >> >> For now, I've been dumping the logs via syslog with TLS using >> syslog-ng to our server, but that is mediocre at best with varying >> degrees of reliability. The syslog-ng server then sends that to a >> perl script to put that into a database. That allows us to run our >> monthly reports, but that doesn't help us with live or historical log >> parsing and filtering (see above, re: SmartView Tracker). > > It sounds like you've already got a pretty good aggregation setup going, > here. I've had great luck with UDP Syslog from devices to a site-local log > aggregator that then ships off log streams to a central place over TCP (for > the WAN paths) and/or TLS/SSL. > It sounds like you may have something similar going here, though I'd be > curious to know where you've had this fall down reliability-wise.
We considered that, but didn't want to "burden" small customers with a classic scenario of "ok well you have to have our other box in your room" and have to deal with procurement, maintenance, upkeep, monitoring, blah blah. Recent ASA code (8.3-ish, 8.4? i forget) had syslog-tls built in and finally able to ship logs out across the lowest security zone, which was quite a nice addition. The break down is periodic log-reporting failures. After some indeterminate time, the device seems to just "give up" and just not send logs. Plus, it doesn't reconnect on a failure. I added a Nagios check to monitor the state of things, so now I get notified in this situation (or at least within a few minutes). When this does occur, I ssh to the ASA and have to run the 'no logging enable' and then 'logging enable' to "jump start" it again. Sometime that's not even enough and I have to remove the logging command for external syslog and re-add it again. It's very weird and quite spurious. >> >> If a customer called to help us troubleshoot connection issues over >> the past few days, there's no way to review the logs and figure out >> what happened back then. Every CCIE we've talked to, and Cisco >> themselves, seem to not care about firewall traffic logs or the >> ability to parse and review them. We know about Cisco Security >> Center, but that seems incapable of handling logs, etc. CS-MARS >> would've been great, but that's overpriced and now discontinued >> anyway. We'd hate to spend the time writing our own app if there's a >> viable product already available (we're willing to pay a reasonable >> price for one, too). > > I don't know of any great commercial products, as I've only built homegrown > tools for various organizations. I'm curious though, what kinds of features > are you looking for? Searching log data? Alerting on events based on log > data? > Cheers, > jof I'd like to fully search on an 'column', a la 'ladder logic' style., as well as have the data presented in an orderly well-defined fashion. I know that sounded like the beginnings of "use XML!" but oh dear, not XML, please. :) Poor syslog is just too flat and in a state of general disarray. The bizarre arrangement of connection setup, NAT, non-NAT, traffic destined to the device, originating from the device, traffic routing across the to another zone, etc. ... it's very nonsensical, verbose, and frankly maddening. Best I can tell, the whole thing doesn't make any sense (and was a bear to tease apart with regex). I've gotten a few suggestions to check out Splunk, so I'll toss that into the review pile and see how that works out. Thanks to the folks who suggested that! -- Duane Toler [email protected]
