Contact from Sharktech available?
Can someone from Sharktech contact me off list to discuss an NTP flood from your co-lo network? One of my customers has a site being hammered by a few subnets of yours. Thanks!! -- Duane Toler deto...@gmail.com
MXLogic outage
Probably old news by now, but MXLogic folks are having some major issues today and not reliably receiving inbound mail. Several of our customers are talking with MXLogic about it. FYI. -- Duane Toler deto...@gmail.com
Re: ASA log viewer
On Sun, Nov 20, 2011 at 17:33, Jimmy Hess mysi...@gmail.com wrote: Yes. logging permit-hostdown However, if you don't need to refuse connections when TCP syslog fails, then you don't need 100% of your syslog messages, you should use UDP syslog for performance. TCP just makes sure you will get all syslog messages between time A and time B or none of them. If there are WAN issues, there are many cases where one would prefer SOME syslog messages, with an understanding that the network bottleneck means messages are being lost, rather than few/no syslog messages to help debug the issue -- -JH Except you can't do syslog via TLS with UDP. :-/ -- Duane Toler deto...@gmail.com
Re: ASA log viewer
I think it was ASA 8.3 that began to provide an option to NOT cease functionality when tcp syslog server was unreachable. In ASDM, it is a checkbox at the bottom of the logging servers config section. Sent from my iPhone On Nov 20, 2011, at 7:43, Joe Happe joe.ha...@archlearning.com wrote: Completely agree with splunk for log searching / analysis, even has some ASA/PIX modules. Please note, unless something has changed that I completely missed, an ASA/PIX will stop forwarding user traffic if it is configured for tcp syslogs and the connection breaks. (no more disk, network issue, etc) This is based on the premise that a system cannot be considered secure if the audit trail is unavailable, and tcp syslogging(vs udp) is usually used to make sure you don't miss an entry due to a dropped packet. Something that dates back to the old C2 security standard??(not sure of the current version). Typically this requires admin intervention (by design) to clear the condition. If you use udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails. With that said, there may be a command I'm unaware of that allows a tcp syslog to fail and not block traffic. ~jdh
Re: ASA log viewer
I'll go back to check that option about queue size. Thanks for the hint! Sent from my iPhone On Nov 20, 2011, at 9:23, jjanu...@wd-tek.com jjanu...@wd-tek.com wrote: e.g., interface_name syslog_ip[tcp/port] [emblem format] [secure] Also, when you do a sho log, do you have the following set? Deny Conn when Queue Full: disabled
ASA log viewer
Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). If a customer called to help us troubleshoot connection issues over the past few days, there's no way to review the logs and figure out what happened back then. Every CCIE we've talked to, and Cisco themselves, seem to not care about firewall traffic logs or the ability to parse and review them. We know about Cisco Security Center, but that seems incapable of handling logs, etc. CS-MARS would've been great, but that's overpriced and now discontinued anyway. We'd hate to spend the time writing our own app if there's a viable product already available (we're willing to pay a reasonable price for one, too). Any ideas? Thanks!!
Re: ASA log viewer
On Sat, Nov 19, 2011 at 20:04, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Duane Toler deto...@gmail.com My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? Is your problem the aggregation proper, or the mining? Do the ASA's log to syslog? Cheers, -- jra -- Yep, we log to syslog, and the issue is the mining. Not that I/we *can't* grep/regex/sed/awk/perl our way thru the log files. It's just that it's overly tedious. Especially when compared to Check Point's product (given that they are aiming to compete...).
Re: ASA log viewer
On Sat, Nov 19, 2011 at 20:30, Jonathan Lassoff j...@thejof.com wrote: On Sat, Nov 19, 2011 at 4:51 PM, Duane Toler deto...@gmail.com wrote: Hey NANOG! My employer is deploying CIsco ASA firewalls to our clients (specifically the 5505, 5510 for our smaller clients). We are having problems finding a decent log viewer. Several products seem to mean well, but they all fall short for various reasons. We primarily use Check Point firewalls, and for those of you with that experience, you know the SmartViewer Tracker is quite powerful. Is there anything close to the flexibility and filtering capabilities of Check Point's SmartView Tracker? For now, I've been dumping the logs via syslog with TLS using syslog-ng to our server, but that is mediocre at best with varying degrees of reliability. The syslog-ng server then sends that to a perl script to put that into a database. That allows us to run our monthly reports, but that doesn't help us with live or historical log parsing and filtering (see above, re: SmartView Tracker). It sounds like you've already got a pretty good aggregation setup going, here. I've had great luck with UDP Syslog from devices to a site-local log aggregator that then ships off log streams to a central place over TCP (for the WAN paths) and/or TLS/SSL. It sounds like you may have something similar going here, though I'd be curious to know where you've had this fall down reliability-wise. We considered that, but didn't want to burden small customers with a classic scenario of ok well you have to have our other box in your room and have to deal with procurement, maintenance, upkeep, monitoring, blah blah. Recent ASA code (8.3-ish, 8.4? i forget) had syslog-tls built in and finally able to ship logs out across the lowest security zone, which was quite a nice addition. The break down is periodic log-reporting failures. After some indeterminate time, the device seems to just give up and just not send logs. Plus, it doesn't reconnect on a failure. I added a Nagios check to monitor the state of things, so now I get notified in this situation (or at least within a few minutes). When this does occur, I ssh to the ASA and have to run the 'no logging enable' and then 'logging enable' to jump start it again. Sometime that's not even enough and I have to remove the logging command for external syslog and re-add it again. It's very weird and quite spurious. If a customer called to help us troubleshoot connection issues over the past few days, there's no way to review the logs and figure out what happened back then. Every CCIE we've talked to, and Cisco themselves, seem to not care about firewall traffic logs or the ability to parse and review them. We know about Cisco Security Center, but that seems incapable of handling logs, etc. CS-MARS would've been great, but that's overpriced and now discontinued anyway. We'd hate to spend the time writing our own app if there's a viable product already available (we're willing to pay a reasonable price for one, too). I don't know of any great commercial products, as I've only built homegrown tools for various organizations. I'm curious though, what kinds of features are you looking for? Searching log data? Alerting on events based on log data? Cheers, jof I'd like to fully search on an 'column', a la 'ladder logic' style., as well as have the data presented in an orderly well-defined fashion. I know that sounded like the beginnings of use XML! but oh dear, not XML, please. :) Poor syslog is just too flat and in a state of general disarray. The bizarre arrangement of connection setup, NAT, non-NAT, traffic destined to the device, originating from the device, traffic routing across the to another zone, etc. ... it's very nonsensical, verbose, and frankly maddening. Best I can tell, the whole thing doesn't make any sense (and was a bear to tease apart with regex). I've gotten a few suggestions to check out Splunk, so I'll toss that into the review pile and see how that works out. Thanks to the folks who suggested that! -- Duane Toler deto...@gmail.com
Re: ASA log viewer
On Nov 19, 2011, at 9:05 PM, Jonathan Lassoff j...@thejof.com wrote: Ah, this totally makes sense now. I can see why you'd want to use features that are already on your ASAs. Sounds like a bug to me, though. I wonder what Cisco calls syslog-tls though. Syslog-like packet bodies, over a TLS-wrapped TCP socket? Sorry to hear it's been so unreliable -- I guess that's why I'm biased towards just running generic PCs and open source software for this kind of stuff; when bugs happen, you're actually empowered to debug and fix problems. Yep all of our other gear is Linux for that reason (plus Mac OS on the desktop so things just work). Cisco called the syslog-TLS stuff just syslog plus a secure parameter, and port 1470 by default. ASDM had a fairly helpful interface to get it configured. I think it requires the K9 image or whatever it's called to get the option. This does indeed sound like a good application for splunk. They have ways of defining custom logging formats that will parse out simple column and message types so that you can construct queries based on that information. There's some more information here in Splunk's docs on custom field extraction: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions Cheers, jof Sounds promising! Thanks again! Sent from my iPad
