Re: Cisco ASA logging

On Mar 29, 1:46 pm, Vincent C Jones <v.jo...@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
KDawg44 wrote:
On Mar 27, 12:00 pm, rober...@xxxxxxxxxxxx (Walter Roberson) wrote:
In article <1175011651.804430.20...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,

KDawg44 <KDaw...@xxxxxxxxx> wrote:
I have my cisco ASA logging to a syslog server. Is there a way for
the ASA to find resolve the websites that the users are visiting
(instead of IPs, actual DNS names)?

A particularly bad website might have the same IP address as
an excellent website. You can't count on IP address to tell you
about websites.

I don't directly answer "No" because I'm not familiar enough
with the ASA and what kinds of things you might be able to get
out of its inspection engine.

Also, is there a way for it to
track the user who is accessing it instead of the workstation and IP?

If the user has to authenticate to the firewall before being permitted
through, then the username will be placed in the relevant log entries.
(Or at least that's how it was documented in PIX 6) But if you are not
using authentication of internal users, it wouldn't know the name to log.

I do not want to use a proxy if the ASA can do this, and I do not want
to use ISA. I might try Squid on a Linux box if the ASA cannot.

Squid can be pretty useful.

For instance, a syslog message from my ASA:

asa.domain.com notice 2007-03-29 13:41:44 Mar 29 2007 13:15:47
ASAName : %ASA-5-304001: IP_OF_HOST_PC Accessed URL 69.147.114.210:/

What I would like is to have it say for IP_OF_HOST_PC state the
actually PC name in our DNS records (actually I would love the active
directory user name but that would probably be a stretch) and instead
of 69.147.114.210 I would like to see yahoo.com.

Is there a way to do this?

Thanks.

Converting IP to domain name in syslog entries is typically a funtion of the
syslog server, not the device generating the entries. It is also typically
turned off to avoid the performance hit and extra traffic generation doing
the reverse DNS lookups.

Have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destinyhttp://www.networkingunlimited.com


Thanks for the reply. Makes sense. I think I will see if I can turn
it on, then see how big of a hit I take. If its too much, then ill
just have to turn it off.

THanks.

.

Relevant Pages

  • Re: Cisco ASA logging
    ... KDawg44 wrote: ... the ASA to find resolve the websites that the users are visiting ... (instead of IPs, actual DNS names)? ...
    (comp.dcom.sys.cisco)
  • Re: Cisco ASA logging
    ... the ASA to find resolve the websites that the users are visiting ... (instead of IPs, actual DNS names)? ... Converting IP to domain name in syslog entries is typically a funtion of the ...
    (comp.dcom.sys.cisco)
  • Re: Cisco ASA logging
    ... the ASA to find resolve the websites that the users are visiting ... (instead of IPs, actual DNS names)? ... I might try Squid on a Linux box if the ASA cannot. ...
    (comp.dcom.sys.cisco)
  • Re: Is there a way to block certain websites or website domains?
    ... Or if you are comfortable with DNS, ... you can put entries in DNS for the websites you want to block pointing ... John John wrote: ...
    (microsoft.public.windows.group_policy)
  • Re: Website
    ... also that many of the "blocked" sites are due to real failures or virus, ... DNS servers ... > public DNS server and they should be fine. ... >>> they can't access any of our websites which hosted by ...
    (microsoft.public.windows.server.dns)
Loading