Ëpisode Name: Ëpisode 32 - Investigating Syslogs: Tips and Tricks
Contributors: Magnus Mortensen, Jay Johnston, David White Jr.
Posting Date: March 28, 2013
Description: The panel discusses best practices for configuring devices to generate syslogs, and how the TAC investigates syslogs provided by customers. Tips and tricks for parsing through large syslog files, as well as techniques and tools for finding useful information are discussed.
For example, if someone provides you with 2 GB of syslogs, how do you parse through them to find the important information? If the text files are prepended with junk text from the a syslog server, how do you remove it? How do you sort your syslog entries?
The test syslog file used in the examples below can be found here:
<166>Mar 28 2013 08:22:48: %ASA-6-302016: Teardown UDP connection 57958 for outside:192.168.108.43/53 to inside:10.10.103.38/61128 duration 0:00:00 bytes 563
<166>Mar 28 2013 08:22:49: %ASA-6-302016: Teardown UDP connection 57959 for outside:192.168.108.43/53 to inside:10.10.103.38/55143 duration 0:00:00 bytes 264
<166>Mar 28 2013 08:22:49: %ASA-6-302016: Teardown UDP connection 57960 for outside:192.168.108.43/53 to inside:10.10.103.38/62819 duration 0:00:00 bytes 188
[10:56:19] [jay@jajohnst-pc /mnt/storage/logs]$
Remove junk text at the start of each syslog line
You'll notice that each log line has some junk at the front that should be removed:
[10:43:27] [jay@jajohnst-pc /mnt/storage/logs]$ head -n 4 ASAlogs-TACSecurityPodcast.txt
<167>Mar 28 2013 08:22:48: %ASA-7-710005: UDP request discarded from 10.10.126.99/52470 to inside:255.255.255.255/69
<166>Mar 28 2013 08:22:48: %ASA-6-305011: Built dynamic UDP translation from inside:10.10.103.38/61128 to outside:192.168.124.149/61128
<167>Mar 28 2013 08:22:48: %ASA-7-609001: Built local-host outside:192.168.108.43
<166>Mar 28 2013 08:22:48: %ASA-6-302015: Built outbound UDP connection 57958 for outside:192.168.108.43/53 (172.18.108.43/53) to inside:10.10.103.38/61128 (172.18.124.149/61128)
[10:46:15] [jay@jajohnst-pc /mnt/storage/logs]$
To remove all the charactors on the line leading up to "Mar 28", use the sed program to find and replace that text with "nothing":
[10:48:03] [jay@jajohnst-pc /mnt/storage/logs]$ cat ASAlogs-TACSecurityPodcast.txt | sed 's/^.*Mar 28/Mar 28/g' | head -n 4
Mar 28 2013 08:22:48: %ASA-7-710005: UDP request discarded from 10.10.126.99/52470 to inside:255.255.255.255/69
Mar 28 2013 08:22:48: %ASA-6-305011: Built dynamic UDP translation from inside:10.10.103.38/61128 to outside:192.168.124.149/61128
Mar 28 2013 08:22:48: %ASA-7-609001: Built local-host outside:192.168.108.43
Mar 28 2013 08:22:48: %ASA-6-302015: Built outbound UDP connection 57958 for outside:192.168.108.43/53 (172.18.108.43/53) to inside:10.10.103.38/61128 (172.18.124.149/61128)
[10:48:10] [jay@jajohnst-pc /mnt/storage/logs]$
Just display a particular portion of each line in the syslog file
Lets say you want to just display something particular from each line, say, the global IP and port in the message like this:
<166>Mar 28 2013 08:22:50: %ASA-6-305011: Built dynamic TCP translation from inside:10.10.103.38/63894 to outside:192.168.124.149/63894
First, you would grep the file to just output the lines that contained that text, and next you could use the cut command to break the line into tokens, and just display a particular token. In this example, the global interface, ip and port are token number 13, as delimited by the space character:
Dear experts, I've setup a DVTI with IKEv2 to get remote access into my 2901. However, the IKE session establishes, without any errors, the interface comes up, but no IP address is assigned to the Virtual-access interface. The client is a C881 runnin...
I am trying to setup my Stratix 5950 switch for Many to One NAT configuration using NAT rules in ASDM wizard.My Inside1 interface is already configured for VLAN 10 with IP 192.168.10.xx. The Outside Interface1 at 192.168.20. xx has a PC connected with IP ...
After upgrading to the last firmware available in your repository (22.214.171.124) to a RV110W, this notice is logged after the router start up: "Linux version 2.6.22 (zls@cybertan-team2) (gcc version 4.2.3) #47 Wed May 27 10:33:03 CST 2020"A quick search r...
Hi everyone, I have a bunch of Cisco 4321 Routers that I want to configure ACL on but I am running into some difficulties. I have an Internal Server connected to Router 3 that is using the Windows Time Service which acts as the NTP Server for the 3 R...