Ëpisode Name: Ëpisode 32 - Investigating Syslogs: Tips and Tricks
Contributors: Magnus Mortensen, Jay Johnston, David White Jr.
Posting Date: March 28, 2013
Description: The panel discusses best practices for configuring devices to generate syslogs, and how the TAC investigates syslogs provided by customers. Tips and tricks for parsing through large syslog files, as well as techniques and tools for finding useful information are discussed.
For example, if someone provides you with 2 GB of syslogs, how do you parse through them to find the important information? If the text files are prepended with junk text from the a syslog server, how do you remove it? How do you sort your syslog entries?
The test syslog file used in the examples below can be found here:
<166>Mar 28 2013 08:22:48: %ASA-6-302016: Teardown UDP connection 57958 for outside:192.168.108.43/53 to inside:10.10.103.38/61128 duration 0:00:00 bytes 563
<166>Mar 28 2013 08:22:49: %ASA-6-302016: Teardown UDP connection 57959 for outside:192.168.108.43/53 to inside:10.10.103.38/55143 duration 0:00:00 bytes 264
<166>Mar 28 2013 08:22:49: %ASA-6-302016: Teardown UDP connection 57960 for outside:192.168.108.43/53 to inside:10.10.103.38/62819 duration 0:00:00 bytes 188
[10:56:19] [jay@jajohnst-pc /mnt/storage/logs]$
Remove junk text at the start of each syslog line
You'll notice that each log line has some junk at the front that should be removed:
[10:43:27] [jay@jajohnst-pc /mnt/storage/logs]$ head -n 4 ASAlogs-TACSecurityPodcast.txt
<167>Mar 28 2013 08:22:48: %ASA-7-710005: UDP request discarded from 10.10.126.99/52470 to inside:255.255.255.255/69
<166>Mar 28 2013 08:22:48: %ASA-6-305011: Built dynamic UDP translation from inside:10.10.103.38/61128 to outside:192.168.124.149/61128
<167>Mar 28 2013 08:22:48: %ASA-7-609001: Built local-host outside:192.168.108.43
<166>Mar 28 2013 08:22:48: %ASA-6-302015: Built outbound UDP connection 57958 for outside:192.168.108.43/53 (172.18.108.43/53) to inside:10.10.103.38/61128 (172.18.124.149/61128)
[10:46:15] [jay@jajohnst-pc /mnt/storage/logs]$
To remove all the charactors on the line leading up to "Mar 28", use the sed program to find and replace that text with "nothing":
[10:48:03] [jay@jajohnst-pc /mnt/storage/logs]$ cat ASAlogs-TACSecurityPodcast.txt | sed 's/^.*Mar 28/Mar 28/g' | head -n 4
Mar 28 2013 08:22:48: %ASA-7-710005: UDP request discarded from 10.10.126.99/52470 to inside:255.255.255.255/69
Mar 28 2013 08:22:48: %ASA-6-305011: Built dynamic UDP translation from inside:10.10.103.38/61128 to outside:192.168.124.149/61128
Mar 28 2013 08:22:48: %ASA-7-609001: Built local-host outside:192.168.108.43
Mar 28 2013 08:22:48: %ASA-6-302015: Built outbound UDP connection 57958 for outside:192.168.108.43/53 (172.18.108.43/53) to inside:10.10.103.38/61128 (172.18.124.149/61128)
[10:48:10] [jay@jajohnst-pc /mnt/storage/logs]$
Just display a particular portion of each line in the syslog file
Lets say you want to just display something particular from each line, say, the global IP and port in the message like this:
<166>Mar 28 2013 08:22:50: %ASA-6-305011: Built dynamic TCP translation from inside:10.10.103.38/63894 to outside:192.168.124.149/63894
First, you would grep the file to just output the lines that contained that text, and next you could use the cut command to break the line into tokens, and just display a particular token. In this example, the global interface, ip and port are token number 13, as delimited by the space character:
The Cisco 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing topics: the impact of vendor consolidation, cybersecurity fatigue, outsourcing, top causes of downtime, the most impactful threats, and more. The repo...
Hi, Has anyone run into the "Channel down" issue when updating the identity certificate on the Stealthwatch SMCv and SFCv. I'm doing a POC for a client and every time I go an update the identity cert the SMC says "it could save the configuration" and...
I have received the notification to upgrade our ESAV C100V from ASync OS 12.5.0-66 to ASync OS 13.x.x and up. However, when I check to see if the C100V is compatible I do not see any reference for the C100V. I don't want to start any upgrade and then run ...
Hello, My company recently bought ISE and I'm having a hard time creating the User portion of the Authorization Profile. Our idea is to have a User Authz Policy and a Machine Authz Policy (for PCs that don't have users logged in). We have ...