Re: Query : seeking a (low cost secure) turnkey plug-and-play appliance to report network outages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/11/11 17:34, Seth Mattinen wrote: Mikrotik RouterBoards are low cost and robust. It can be scripted to do things like call a specific URL every X minutes. Some models have just a single Ethernet port as well (they're designed to be used as a wireless AP/CPE with an add-in mini PCI card) for even less confusion about plugging it in. +1 E.g.: http://routerboard.com/RB750 @ $39.99. I'm sure for bulk buying they get a lot cheaper. Should easily fit into an automated provisioning process. - Barry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7HfJAACgkQ9qwC7To4L8y0dQCgy1p1Zoh/7ZqLue74E6W89NGh QsUAn1fm8g/r6QasPJb7Od0F+EA8Qw87 =MoIy -END PGP SIGNATURE-
Re: Query : seeking a (low cost secure) turnkey plug-and-play appliance to report network outages
On 11/19/11 01:35 , Fearghas McKay wrote: On 17 Nov 2011, at 12:58, A. Chase Turner wrote: I am seeking a $100 turnkey micro hardware appliance to plug into a LAN hub (behind a consumer-level cable modem) whose only purpose in life is to send heartbeat (and simple quality of service metrics) to a pre-configured central aggregation service on the WAN. Have a look at the Atlas project from RIPE - http://atlas.ripe.net/ Their hardware is aimed at costing 50€ including distribution etc. They have said they were not going to make it available but they might collaborate ? HTH http://ubnt.com/rspro is a board I've run openwrt on with a great deal of success. it's powerful enough to host rather a lot of things compared to a basic ap. f
ab...@brasiltelecom.com.br Contact - Re: http://ipcacoal.org/ipcacoal/includes/kiwi.htm
Anyone with any clue on how to contact ab...@brasiltelecom.com.br like to forward this? Their abuse contact in the whois database is just bouncing. I do realise this is just day to day noise, but as you can see from the trail below, I have used the normal tools that we put in place to mange these sorts of issues. I have noted over the past 12 months, quite a bit of discussion on NANog about Whois and that fact that the resource is now failing. I would like to see the community address the whois database, clean it up and return it to being functional. Mine is not perfect either, and I will pledge to work on that over the next 12 months. I'd like to year your commitment to the same. Cheers D Sirs, A host in your IP range is hosting a bank security breach web site. Can you please address this? http://ipcacoal.org/ipcacoal/includes/kiwi.htm - Please see the correct site at www.kiwibank.co.nz # whois ipcacoal.org NOTICE: Access to .ORG WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain ID:D155949678-LROR Domain Name:IPCACOAL.ORG Created On:24-Apr-2009 12:20:02 UTC Last Updated On:02-Apr-2011 20:41:14 UTC Expiration Date:24-Apr-2012 12:20:02 UTC Sponsoring Registrar:eNom, Inc. (R39-LROR) Status:CLIENT TRANSFER PROHIBITED Registrant ID:a81fb17fb96efad6 Registrant Name:Kallew Cesar Braganca Pavao Registrant Organization:ipcacoal.org Registrant Street1:Rua Carlos SCherrer, 478 Registrant Street2: Registrant Street3: Registrant City:Cacoal Registrant State/Province: Registrant Postal Code:76962-278 Registrant Country:BR Registrant Phone:+55.6934418628 Registrant Phone Ext.: Registrant FAX:+55.6934418628 Registrant FAX Ext.: Registrant Email:k1...@hotmail.com Admin ID:a81fb17fb96efad6 Admin Name:Kallew Cesar Braganca Pavao Admin Organization:ipcacoal.org Admin Street1:Rua Carlos SCherrer, 478 Admin Street2: Admin Street3: Admin City:Cacoal Admin State/Province: Admin Postal Code:76962-278 Admin Country:BR Admin Phone:+55.6934418628 Admin Phone Ext.: Admin FAX:+55.6934418628 Admin FAX Ext.: Admin Email:k1...@hotmail.com Tech ID:a81fb17fb96efad6 Tech Name:Kallew Cesar Braganca Pavao Tech Organization:ipcacoal.org Tech Street1:Rua Carlos SCherrer, 478 Tech Street2: Tech Street3: Tech City:Cacoal Tech State/Province: Tech Postal Code:76962-278 Tech Country:BR Tech Phone:+55.6934418628 Tech Phone Ext.: Tech FAX:+55.6934418628 Tech FAX Ext.: Tech Email:k1...@hotmail.com Name Server:NS1.SERVIDORPROTEGIDO.NET Name Server:NS2.SERVIDORPROTEGIDO.NET Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: DNSSEC:Unsigned # host ipcacoal.org ipcacoal.org has address 200.160.239.14 ipcacoal.org mail is handled by 0 ipcacoal.org. # whois 200.160.239.14 % Copyright (c) Nic.br % The use of the data below is only permitted as described in % full by the terms of use (http://registro.br/termo/en.html), % being prohibited its distribution, comercialization or % reproduction, in particular, to use it for advertising or % any similar purpose. % 2011-11-19 19:16:09 (BRST -02:00) inetnum: 200.160.239/24 aut-num: AS8167 abuse-c: BTA17 owner: Gallas Software e Internet LTDA. ownerid: 005.753.287/0001-44 responsible: Depto. Registro de Domínios / ABUSE country: BR owner-c: HOHSI2 tech-c: HOHSI2 inetrev: 200.160.239/24 nserver: ns1.homehost.com.br nsstat: 2016 AA nslastaa:2016 nserver: ns2.homehost.com.br nsstat: 2016 AA nslastaa:2016 created: 20081020 changed: 20081020 inetnum-up: 200.160.224/19 nic-hdl-br: BTA17 person: Brasil Telecom S. A - Abuso e-mail: ab...@noc.brasiltelecom.net.br created: 20030624 changed: 20050214 nic-hdl-br: HOHSI2 person: HOMEHOST Hospedagem de Sites e-mail: regis...@homehost.com.br created:
Re: Query : seeking a (low cost secure) turnkey plug-and-play appliance to report network outages
On Thu, Nov 17, 2011 at 6:58 AM, A. Chase Turner ch...@stumpy.com wrote: I am seeking a $100 turnkey micro hardware appliance to plug into a LAN hub (behind a consumer-level cable modem) whose only purpose in life is to send heartbeat (and simple quality of service metrics) to a pre-configured central aggregation service on the WAN. Key requirement is the micro hardware appliance will be installed by non-technical elderly end-users -- so, it must [snip] I think your expectation of finding an off-the-shelf turnkey unit that will do such a specialized thing for $100 or less with no extra work, is a bit unreasonable. Your requirement is such a niche requirement, that there is little demand for such a unit, meaning you won't find a mass produced hardware component out of a box specifically designed to do that specific thing at optimal cost, and general purpose miniature embedded computer boards are cheaper. Although you get the work of building the firmware components to make it do what you intend. Companies that build products for such a niche market need a decent margin for each unit sold, to compensate for low volume. I would say look at something like a Soekris net4501 or other low-cost mini computer board, that you can load a flash card on and install BSD on;I think approximately $90 for board + case, then you need to factor in cost of other components such as flash memory. From there you need to build the configuration GUI, write some scripts, and build an image to load on your customized general purpose computing devices. Your end user doesn't need to do all that extra work of scripting or copying data to the unit as long as you provide the pre-assembled unit with your prepared image -- -JH
Re: Query : seeking a (low cost secure) turnkey plug-and-play appliance to report network outages
On Thu, Nov 17, 2011 at 6:58 AM, A. Chase Turner ch...@stumpy.com wrote: I am seeking a $100 turnkey micro hardware appliance to plug into a LAN hub... Why micro? Just get a pile of free for the carting-off old Pentium machines and run them headless with a BSD. Set them up to heartbeat to a cacti box. Why buy new when you have a good use for the old stuff that is going to a dump anyway? -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
Re: Query : seeking a (low cost secure) turnkey plug-and-play
On Thu, Nov 17, 2011 at 6:58 AM, A. Chase Turner ch...@stumpy.com wrote: I am seeking a $100 turnkey micro hardware appliance to plug into a LAN hub... Why micro? Just get a pile of free for the carting-off old Pentium machines and run them headless with a BSD. Set them up to heartbeat to a cacti box. Why buy new when you have a good use for the old stuff that is going to a dump anyway? As long as you're not paying the electric bill. But quite frankly, some of the stuff that's been put out over the years is better off in a dump. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Query : seeking a (low cost secure) turnkey plug-and-play
- Original Message - From: Joe Greco jgr...@ns.sol.net Subject: Re: Query : seeking a (low cost secure) turnkey plug-and-play On Thu, Nov 17, 2011 at 6:58 AM, A. Chase Turner ch...@stumpy.com wrote: I am seeking a $100 turnkey micro hardware appliance to plug into a LAN hub... Why micro? Just get a pile of free for the carting-off old Pentium machines and run them headless with a BSD. Set them up to heartbeat to a cacti box. Why buy new when you have a good use for the old stuff that is going to a dump anyway? As long as you're not paying the electric bill. But quite frankly, some of the stuff that's been put out over the years is better off in a dump. I find myself pretty surprised that no one I've seen so far has suggested *these*: http://techreport.com/discussions.x/16466 They seem directly on target for what Chase is looking for. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Query : seeking a (low cost secure) turnkey plug-and-play
- Original Message - From: Jay Ashworth j...@baylink.com I find myself pretty surprised that no one I've seen so far has suggested *these*: http://techreport.com/discussions.x/16466 They seem directly on target for what Chase is looking for. Here (apologies) is some retail: http://www.globalscaletechnologies.com/ http://www.ionicsplug.com/products.html And Marvell's page: http://www.marvell.com/solutions/plug-computers/ I don't think these have Powerline ethernet, more's the pity... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Query : seeking a (low cost secure) turnkey plug-and-play
On 11/19/2011 4:04 PM, Joe Greco wrote: On Thu, Nov 17, 2011 at 6:58 AM, A. Chase Turnerch...@stumpy.com wrote: I am seeking a $100 turnkey micro hardware appliance to plug into a LAN hub... Why micro? Just get a pile of free for the carting-off old Pentium machines and run them headless with a BSD. Set them up to heartbeat to a cacti box. Why buy new when you have a good use for the old stuff that is going to a dump anyway? As long as you're not paying the electric bill. But quite frankly, some of the stuff that's been put out over the years is better off in a dump. ... JG They also have moving parts like disk drives and fans that will wear out and need replacement.
Re: Query : seeking a (low cost secure) turnkey plug-and-play
On 11/19/2011 4:04 PM, Joe Greco wrote: On Thu, Nov 17, 2011 at 6:58 AM, A. Chase Turnerch...@stumpy.com wrote: I am seeking a $100 turnkey micro hardware appliance to plug into a LAN hub... Why micro? Just get a pile of free for the carting-off old Pentium machines and run them headless with a BSD. Set them up to heartbeat to a cacti box. Why buy new when you have a good use for the old stuff that is going to a dump anyway? As long as you're not paying the electric bill. But quite frankly, some of the stuff that's been put out over the years is better off in a dump. ... JG They also have moving parts like disk drives and fans that will wear out and need replacement. In all fairness, everything breaks. But, yeah, it may also break quicker. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
ASA log viewer
Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). If a customer called to help us troubleshoot connection issues over the past few days, there's no way to review the logs and figure out what happened back then. Every CCIE we've talked to, and Cisco themselves, seem to not care about firewall traffic logs or the ability to parse and review them. We know about Cisco Security Center, but that seems incapable of handling logs, etc. CS-MARS would've been great, but that's overpriced and now discontinued anyway. We'd hate to spend the time writing our own app if there's a viable product already available (we're willing to pay a reasonable price for one, too). Any ideas? Thanks!!
Re: ASA log viewer
- Original Message - From: Duane Toler deto...@gmail.com My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? Is your problem the aggregation proper, or the mining? Do the ASA's log to syslog? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: ASA log viewer
Check out Splunk (www.splunk.com) -mike Sent from my iPhone On Nov 19, 2011, at 16:51, Duane Toler deto...@gmail.com wrote: Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). If a customer called to help us troubleshoot connection issues over the past few days, there's no way to review the logs and figure out what happened back then. Every CCIE we've talked to, and Cisco themselves, seem to not care about firewall traffic logs or the ability to parse and review them. We know about Cisco Security Center, but that seems incapable of handling logs, etc. CS-MARS would've been great, but that's overpriced and now discontinued anyway. We'd hate to spend the time writing our own app if there's a viable product already available (we're willing to pay a reasonable price for one, too). Any ideas? Thanks!!
Re: ASA log viewer
On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler deto...@gmail.com wrote: Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). It sounds like you've already got a pretty good aggregation setup going, here. I've had great luck with UDP Syslog from devices to a site-local log aggregator that then ships off log streams to a central place over TCP (for the WAN paths) and/or TLS/SSL. It sounds like you may have something similar going here, though I'd be curious to know where you've had this fall down reliability-wise. If a customer called to help us troubleshoot connection issues over the past few days, there's no way to review the logs and figure out what happened back then. Every CCIE we've talked to, and Cisco themselves, seem to not care about firewall traffic logs or the ability to parse and review them. We know about Cisco Security Center, but that seems incapable of handling logs, etc. CS-MARS would've been great, but that's overpriced and now discontinued anyway. We'd hate to spend the time writing our own app if there's a viable product already available (we're willing to pay a reasonable price for one, too). I don't know of any great commercial products, as I've only built homegrown tools for various organizations. I'm curious though, what kinds of features are you looking for? Searching log data? Alerting on events based on log data? Cheers, jof
Re: ASA log viewer
On Sat, Nov 19, 2011 at 5:32 PM, Duane Toler deto...@gmail.com wrote: On Sat, Nov 19, 2011 at 20:04, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Duane Toler deto...@gmail.com My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? Is your problem the aggregation proper, or the mining? Do the ASA's log to syslog? Cheers, -- jra -- Yep, we log to syslog, and the issue is the mining. Not that I/we *can't* grep/regex/sed/awk/perl our way thru the log files. It's just that it's overly tedious. Especially when compared to Check Point's product (given that they are aiming to compete...). I'd second Mike's suggestion then -- check out Splunk. They make a commercial log viewing, searching, and reporting product that's pretty awesome. They license based on log volume, and the pricing scales somewhat logarithmically. So, I would consider your log volume and budget before sinking too much time into it. There's a free trial installation and license that's available if you want to try it out. Cheers, jof
Re: ASA log viewer
On Sat, Nov 19, 2011 at 20:04, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Duane Toler deto...@gmail.com My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? Is your problem the aggregation proper, or the mining? Do the ASA's log to syslog? Cheers, -- jra -- Yep, we log to syslog, and the issue is the mining. Not that I/we *can't* grep/regex/sed/awk/perl our way thru the log files. It's just that it's overly tedious. Especially when compared to Check Point's product (given that they are aiming to compete...).
Re: ASA log viewer
On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff j...@thejof.com wrote: On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler deto...@gmail.com wrote: Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). It sounds like you've already got a pretty good aggregation setup going, here. I've had great luck with UDP Syslog from devices to a site-local log aggregator that then ships off log streams to a central place over TCP (for the WAN paths) and/or TLS/SSL. It sounds like you may have something similar going here, though I'd be curious to know where you've had this fall down reliability-wise. We considered that, but didn't want to burden small customers with a classic scenario of ok well you have to have our other box in your room and have to deal with procurement, maintenance, upkeep, monitoring, blah blah. Recent ASA code (8.3-ish, 8.4? i forget) had syslog-tls built in and finally able to ship logs out across the lowest security zone, which was quite a nice addition. The break down is periodic log-reporting failures. After some indeterminate time, the device seems to just give up and just not send logs. Plus, it doesn't reconnect on a failure. I added a Nagios check to monitor the state of things, so now I get notified in this situation (or at least within a few minutes). When this does occur, I ssh to the ASA and have to run the 'no logging enable' and then 'logging enable' to jump start it again. Sometime that's not even enough and I have to remove the logging command for external syslog and re-add it again. It's very weird and quite spurious. If a customer called to help us troubleshoot connection issues over the past few days, there's no way to review the logs and figure out what happened back then. Every CCIE we've talked to, and Cisco themselves, seem to not care about firewall traffic logs or the ability to parse and review them. We know about Cisco Security Center, but that seems incapable of handling logs, etc. CS-MARS would've been great, but that's overpriced and now discontinued anyway. We'd hate to spend the time writing our own app if there's a viable product already available (we're willing to pay a reasonable price for one, too). I don't know of any great commercial products, as I've only built homegrown tools for various organizations. I'm curious though, what kinds of features are you looking for? Searching log data? Alerting on events based on log data? Cheers, jof I'd like to fully search on an 'column', a la 'ladder logic' style., as well as have the data presented in an orderly well-defined fashion. I know that sounded like the beginnings of use XML! but oh dear, not XML, please. :) Poor syslog is just too flat and in a state of general disarray. The bizarre arrangement of connection setup, NAT, non-NAT, traffic destined to the device, originating from the device, traffic routing across the to another zone, etc. ... it's very nonsensical, verbose, and frankly maddening. Best I can tell, the whole thing doesn't make any sense (and was a bear to tease apart with regex). I've gotten a few suggestions to check out Splunk, so I'll toss that into the review pile and see how that works out. Thanks to the folks who suggested that! -- Duane Toler deto...@gmail.com
Re: ASA log viewer
On Sat, Nov 19, 2011 at 5:46 PM, Duane Toler deto...@gmail.com wrote: On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff j...@thejof.com wrote: On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler deto...@gmail.com wrote: Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). It sounds like you've already got a pretty good aggregation setup going, here. I've had great luck with UDP Syslog from devices to a site-local log aggregator that then ships off log streams to a central place over TCP (for the WAN paths) and/or TLS/SSL. It sounds like you may have something similar going here, though I'd be curious to know where you've had this fall down reliability-wise. We considered that, but didn't want to burden small customers with a classic scenario of ok well you have to have our other box in your room and have to deal with procurement, maintenance, upkeep, monitoring, blah blah. Recent ASA code (8.3-ish, 8.4? i forget) had syslog-tls built in and finally able to ship logs out across the lowest security zone, which was quite a nice addition. Ah, this totally makes sense now. I can see why you'd want to use features that are already on your ASAs. Sounds like a bug to me, though. I wonder what Cisco calls syslog-tls though. Syslog-like packet bodies, over a TLS-wrapped TCP socket? Sorry to hear it's been so unreliable -- I guess that's why I'm biased towards just running generic PCs and open source software for this kind of stuff; when bugs happen, you're actually empowered to debug and fix problems. I'd like to fully search on an 'column', a la 'ladder logic' style., as well as have the data presented in an orderly well-defined fashion. I know that sounded like the beginnings of use XML! but oh dear, not XML, please. :) Poor syslog is just too flat and in a state of general disarray. The bizarre arrangement of connection setup, NAT, non-NAT, traffic destined to the device, originating from the device, traffic routing across the to another zone, etc. ... it's very nonsensical, verbose, and frankly maddening. This does indeed sound like a good application for splunk. They have ways of defining custom logging formats that will parse out simple column and message types so that you can construct queries based on that information. There's some more information here in Splunk's docs on custom field extraction: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions Cheers, jof
Re: ASA log viewer
+1 here i use splunk for sorting out logs pretty cool tool. easy to install. On Sat, Nov 19, 2011 at 7:30 PM, Mike Lyon mike.l...@gmail.com wrote: Check out Splunk (www.splunk.com) -mike Sent from my iPhone On Nov 19, 2011, at 16:51, Duane Toler deto...@gmail.com wrote: Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). If a customer called to help us troubleshoot connection issues over the past few days, there's no way to review the logs and figure out what happened back then. Every CCIE we've talked to, and Cisco themselves, seem to not care about firewall traffic logs or the ability to parse and review them. We know about Cisco Security Center, but that seems incapable of handling logs, etc. CS-MARS would've been great, but that's overpriced and now discontinued anyway. We'd hate to spend the time writing our own app if there's a viable product already available (we're willing to pay a reasonable price for one, too). Any ideas? Thanks!! -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Disclaimer: http://goldmark.org/jeff/stupid-disclaimers/
Re: ASA log viewer
On Nov 19, 2011, at 9:05 PM, Jonathan Lassoff j...@thejof.com wrote: Ah, this totally makes sense now. I can see why you'd want to use features that are already on your ASAs. Sounds like a bug to me, though. I wonder what Cisco calls syslog-tls though. Syslog-like packet bodies, over a TLS-wrapped TCP socket? Sorry to hear it's been so unreliable -- I guess that's why I'm biased towards just running generic PCs and open source software for this kind of stuff; when bugs happen, you're actually empowered to debug and fix problems. Yep all of our other gear is Linux for that reason (plus Mac OS on the desktop so things just work). Cisco called the syslog-TLS stuff just syslog plus a secure parameter, and port 1470 by default. ASDM had a fairly helpful interface to get it configured. I think it requires the K9 image or whatever it's called to get the option. This does indeed sound like a good application for splunk. They have ways of defining custom logging formats that will parse out simple column and message types so that you can construct queries based on that information. There's some more information here in Splunk's docs on custom field extraction: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions Cheers, jof Sounds promising! Thanks again! Sent from my iPad
Re: ASA log viewer
I'd like to fully search on an 'column', a la 'ladder logic' style., as well as have the data presented in an orderly well-defined fashion. Yes, Splunk. See: http://www.networkworld.com/reviews/2011/092611-splunk-test-250836.html for a recent Network World test of Splunk which may help. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: ab...@brasiltelecom.com.br Contact - Re: http://ipcacoal.org/ipcacoal/includes/kiwi.htm
On Sun, 20 Nov 2011, Don Gould wrote: Anyone with any clue on how to contact ab...@brasiltelecom.com.br like to forward this? Their abuse contact in the whois database is just bouncing. I think most sane operators totally blocked brasiltelecom ages ago. I would like to see the community address the whois database, clean it up and return it to being functional. Mine is not perfect either, and I will pledge to work on that over the next 12 months. I'd like to year your commitment to the same. Until there are real, serious consequences to out of date / incorrect / forged data, nobody will fix it. If you can't be bothered to keep your contact information up to date, you obviously don't need the address space and it should be revoked. -Dan
