I'm just resurrecting this a bit. I encountered this also on 2.5.1 with an
ASA (2.6 still uses the old version so I assume the problem exists as well).
It seems to be some quirkiness with the SSH on the ASA. Apart from the
additional Connection to ... closed by remote host" that appears from time
to time, it adds an additional newline as well.
The solution I found is to only capture the output before it logs off.
Someone probably has a more elegant way of doing this but this is my quick
and dirty hack.
902 ssh_asa-fwsmconfig_diff
--- ssh_asa-fwsmconfig_diff.20110902 2011-09-02 05:20:54.000000000 +0000
+++ ssh_asa-fwsmconfig_diff 2011-09-02 14:23:00.000000000 +0000
@@ -13,7 +13,7 @@
if {$argc < 1} {
- send_user "ERROR: ssh_pixconfig_diff <hostname> <commands>\n";
+ send_user "ERROR: ssh_asa-fwsmconfig_diff <hostname> <commands>\n";
exit 1;
}
@@ -188,20 +188,26 @@
send_user "\nSTORE: now\n"
send "term pager 0\r"
+expect "*#"
# Excluding uptime from the output
send "show version | grep -v Configuration last| up\r"
+expect "*#"
send "show running-config\r"
+expect "*#"
send "$commands\r"
-send "exit\r"
expect {
+ "*#" {
+ send_user "\nINFO: Finished.\n"
+ send "exit\r"
+ exit 0;
+ }
timeout {
send_user "ERROR: Timeout while running commands on host: $hostname
.\n"
exit 1;
}
eof {
- send_user "\nINFO: Finished.\n"
exit 0;
}
}
Regards,
Neil Quiogue
On 31 May 2011 15:46, dan (ddp) <[email protected]> wrote:
> I haven't seen this come up on the mailing list or irc. If you end up
> tweaking the script, please send the changes to the list.
>
> On Tue, May 31, 2011 at 1:43 AM, toddmichael <[email protected]>
> wrote:
> > running into issue with OSSEC monitoring of ASA configuration. Every
> > time it runs I get an alert that the integrity of the config has
> > changed. But when I check the diff report it's always something
> > innocuous like this:
> >
> > # /var/ossec/queue/diff/diff.1306731643
> > 556a557
> >> Connection to asa01 closed by remote host.
> >
> > As you can see, this is not a diff in the configuration. It's that
> > every other time it connects it captures an extra line of data at
> > disconnect and reports the addition or subtraction of this line as a
> > config file change. I guess I could go in and tweak the script
> > manually, but I can't imagine I'm the first to experience this
> > problem. Is there something I can do via config to fix this? I tried
> > some keywords in the archive and didn't find anything that answered my
> > question. Will keep digging, but would appreciate if someone could
> > chime in with some news on this. Thx.
> >
> > toddmichael
> >
>
