Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
930
Views
0
Helpful
2
Replies

Firewall syslong analyze

Latchum Naidu
VIP Alumni
VIP Alumni

‎11-28-2011 11:47 PM - edited ‎03-11-2019 02:56 PM

Hi All,


We have a Kiwi syslog server in our network to monitor and analyze the syslogs from our Firewalls.
We are getting the complete syslongs from 1-7
Now I need to analyze all the syslogs which are important and needfull.

Can someone tell me what all we need to look and prepare a report to send to the customer.

DateTimeFacilityLevelHost NameMessage Text
11/25/201114:17:55Local4Info10.39.40.101Nov 25 2011 05:28:09: %ASA-6-305011: Built dynamic TCP translation from inside:10.37.4.114/2344 to outside(inside_nat_outbound):206.206.208.4/25224
11/25/201114:17:55Local4Info10.39.40.100Mar 03 2003 21:00:30: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.42/0 gaddr 10.39.40.100/0 laddr 10.39.40.100/0
11/25/201114:17:55Local4Info10.39.40.100Mar 03 2003 21:00:30: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.42/0 gaddr 10.39.40.100/0 laddr 10.39.40.100/0
11/25/201114:17:55Local4Critical10.39.40.100Mar 03 2003 21:00:30: %ASA-2-106006: Deny inbound UDP from 10.90.80..12/50030 to 10.10.10.221/6004 on interface inside
11/25/201114:17:55Local4Info10.39.40.100Mar 03 2003 21:00:30: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.50/0 gaddr 10.39.40.100/0 laddr 10.39.40.100/0
11/25/201114:17:55Local4Info10.39.40.100Mar 03 2003 21:00:30: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.50/0 gaddr 10.39.40.100/0 laddr 10.39.40.100/0
11/25/201114:17:55Local4Critical10.39.40.100Mar 03 2003 21:00:30: %ASA-2-106006: Deny inbound UDP from 10.90.80..12/50028 to 10.10.10.221/6004 on interface inside
11/25/201114:17:55Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302016: Teardown UDP connection 131880 for outside:69.28.180.4/53 to inside:30.90.79.11/51105 duration 0:00:00 bytes 205
11/25/201114:17:55Local4Critical10.39.40.100Mar 03 2003 21:00:29: %ASA-2-106001: Inbound TCP connection denied from 193.167.113.59/64498 to 206.206.215.90/402 flags SYN on interface outside
11/25/201114:17:55Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302021: Teardown ICMP connection for faddr 30.90.79.60/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:55Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302020: Built inbound ICMP connection for faddr 30.90.79.60/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:55Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302015: Built outbound UDP connection 131880 for outside:69.28.180.4/53 (69.28.180.4/53) to inside:30.90.79.11/51105 (194.177.227.226/58882)
11/25/201114:17:55Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-305011: Built dynamic UDP translation from inside:30.90.79.11/51105 to outside(inside_nat_outbound):194.177.227.226/58882
11/25/201114:17:54Local4Info10.39.40.101Nov 25 2011 05:28:08: %ASA-6-302014: Teardown TCP connection 2424813 for outside:46.59.45.233/42044 to inside:10.37.4.114/2343 duration 0:00:00 bytes 0 Failover primary closed
11/25/201114:17:54Local4Critical10.39.40.100Mar 03 2003 21:00:29: %ASA-2-106001: Inbound TCP connection denied from 112.210.219.103/2182 to 206.206.210.125/445 flags SYN on interface outside
11/25/201114:17:54Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302016: Teardown UDP connection 131879 for outside:194.177.224.28/53 to inside:30.90.79.11/60777 duration 0:00:00 bytes 135
11/25/201114:17:54Local4Critical10.39.40.100Mar 03 2003 21:00:29: %ASA-2-106001: Inbound TCP connection denied from 200.98.197.105/80 to 206.206.212.246/10673 flags SYN ACK on interface outside
11/25/201114:17:54Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302015: Built outbound UDP connection 131879 for outside:194.177.224.28/53 (194.177.224.28/53) to inside:30.90.79.11/60777 (194.177.227.226/50598)
11/25/201114:17:54Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-305011: Built dynamic UDP translation from inside:30.90.79.11/60777 to outside(inside_nat_outbound):194.177.227.226/50598
11/25/201114:17:54Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302016: Teardown UDP connection 131878 for outside:204.61.216.49/53 to inside:30.90.79.11/60768 duration 0:00:00 bytes 119
11/25/201114:17:54Local4Warning10.39.40.100Mar 03 2003 21:00:29: %ASA-4-106023: Deny tcp src outside:31.181.179.240/4646 dst inside:206.206.208.47/25 by access-group "Outside_access_in" [0x0, 0x0]
11/25/201114:17:54Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-302015: Built outbound UDP connection 131878 for outside:204.61.216.49/53 (204.61.216.49/53) to inside:30.90.79.11/60768 (194.177.227.226/7246)
11/25/201114:17:54Local4Info10.69.40.10Nov 25 2011 10:21:57: %ASA-6-305011: Built dynamic UDP translation from inside:30.90.79.11/60768 to outside(inside_nat_outbound):194.177.227.226/7246
11/25/201114:17:54Local4Info10.39.40.101Nov 25 2011 05:28:08: %ASA-6-305011: Built dynamic UDP translation from inside:10.90.80..11/60970 to outside(inside_nat_outbound):206.206.208.4/1103
11/25/201114:17:54Local4Info10.39.40.101Nov 25 2011 05:28:08: %ASA-6-305011: Built dynamic UDP translation from inside:10.90.80..11/49747 to outside(inside_nat_outbound):206.206.208.4/29109
11/25/201114:17:54Local4Info10.39.40.101Nov 25 2011 05:28:08: %ASA-6-305011: Built dynamic UDP translation from inside:10.90.80..11/60804 to outside(inside_nat_outbound):206.206.208.4/39822
11/25/201114:17:54Local4Info10.69.40.10Nov 25 2011 10:21:56: %ASA-6-305012: Teardown dynamic UDP translation from inside:30.90.79.11/60877 to outside(inside_nat_outbound):194.177.227.226/36612 duration 0:00:30
11/25/201114:17:54Local4Info10.39.40.101Nov 25 2011 05:28:07: %ASA-6-302014: Teardown TCP connection 2424811 for outside:217.209.10.202/42042 to inside:10.37.4.114/2342 duration 0:00:00 bytes 0 Failover primary closed
11/25/201114:17:53Local4Critical10.39.40.100Mar 03 2003 21:00:28: %ASA-2-106006: Deny inbound UDP from 124.239.195.131/1275 to 206.206.210.132/1434 on interface outside
11/25/201114:17:53Local4Info10.39.40.101Nov 25 2011 05:28:07: %ASA-6-305011: Built dynamic TCP translation from inside:10.37.4.114/2342 to outside(inside_nat_outbound):206.206.208.4/36226
11/25/201114:17:53Local4Critical10.39.40.100Mar 03 2003 21:00:28: %ASA-2-106006: Deny inbound UDP from 219.148.1.91/1224 to 206.206.210.50/1434 on interface outside
11/25/201114:17:53Local4Info10.39.40.100Mar 03 2003 21:00:28: %ASA-6-106015: Deny TCP (no connection) from 10.90.80..114/135 to 10.50.79.84/47392 flags SYN ACK on interface dmz5
11/25/201114:17:53Local4Critical10.39.40.100Mar 03 2003 21:00:28: %ASA-2-106001: Inbound TCP connection denied from 200.98.197.105/80 to 206.206.214.239/17358 flags SYN ACK on interface outside
11/25/201114:17:53Local4Info10.39.40.100Mar 03 2003 21:00:28: %ASA-6-302015: Built outbound UDP connection 17256931 for outside:217.209.10.202/42042 (217.209.10.202/42042) to inside:10.37.4.114/42045 (206.206.208.4/1683)
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.42/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.50/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.42/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.50/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Critical10.39.40.100Mar 03 2003 21:00:27: %ASA-2-106001: Inbound TCP connection denied from 200.98.197.105/80 to 206.206.215.190/47019 flags SYN ACK on interface outside
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.42/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.50/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.42/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.50/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.42/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302021: Teardown ICMP connection for faddr 10.50.79.50/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.42/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302020: Built inbound ICMP connection for faddr 10.50.79.50/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Critical10.39.40.100Mar 03 2003 21:00:27: %ASA-2-106001: Inbound TCP connection denied from 193.167.113.59/64498 to 206.206.215.90/402 flags SYN on interface outside
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302021: Teardown ICMP connection for faddr 30.90.79.60/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.69.40.10Nov 25 2011 10:21:55: %ASA-6-302020: Built inbound ICMP connection for faddr 30.90.79.60/0 gaddr 10.69.40.10/0 laddr 10.69.40.10/0
11/25/201114:17:53Local4Info10.39.40.101Nov 25 2011 05:28:07: %ASA-6-302016: Teardown UDP connection 2424809 for outside:193.108.88.194/53 to inside:10.90.80..11/55643 duration 0:00:00 bytes 0
11/25/201114:17:52Local4Info10.39.40.101Nov 25 2011 05:28:06: %ASA-6-305011: Built dynamic UDP translation from inside:10.90.80..11/55643 to outside(inside_nat_outbound):206.206.208.4/6252


Regards,
Naidu

Labels:
0 Helpful
2 Replies 2

Harish Balakrishnan
Spotlight
Spotlight

‎11-29-2011 12:24 AM

Hello Naidu

It depends on what your customer need , ideally we give the critical alamrs with the explanations

Regards

Harish.

0 Helpful

andrey.dugin
Level 1
Level 1
In response to Harish Balakrishnan

‎11-29-2011 07:53 AM

It really depends on your customer needs and your contract responsibilities. The main part of the log is the information about successful connections and dropped attempts. All the information may be useful but it may be useless too.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card