Re: Cisco ASA Syslog Messages

---

• From: phir0002@xxxxxxxxxxx
• Date: Tue, 25 Sep 2007 08:34:19 -0400

---

On Tue, 25 Sep 2007 02:14:50 -0700, Merv <merv.hrabi@xxxxxxxxxx>
wrote:

On Sep 24, 9:50 pm, phir0...@xxxxxxxxxxx wrote:

We recently purchased a piece of software that is going to inspect our
syslog log files and alert us based on specific queries. The software
however was not written to read Cisco syslog specifically so we have
to define pretty tightly what we want to alert on. I have been
reviewing the documentation regarding the ASA/PIX syslog format and it
seems helpful except there are so many damn messages and message
types.

Does anyone have any suggestions regarding what things to specifically
look for in the logs. I know this is a very vague question and I know
a lot of it is based on the position and functionality of our ASAs,
but what I am really more looking for perhaps are some guidelines or
perhaps a sample of what others are doing. Perhaps there is some
documentation other than the massive list of all messages that might
lend some guidance?

The problem in theory of course is that I can look through our current
logs and identify items to be alerted against, but how does one
anticipate what is going to be in the logs when an actual security
attack/emergency occurs.

Any help is greatly appreciated.

take a look at some of the PIX syslog tools at

http://www.loganalysis.org/sections/parsing/application-specific/index.html

Thanks for the link, although some of those tools appear to be
helpful, I have been tasked with making the software we already have
work, which is why I am soliciting examples for configuration or
perhaps sample policies.

Thanks again though.
.

---

• References:
  • Cisco ASA Syslog Messages
    • From: phir0002
  • Re: Cisco ASA Syslog Messages
    • From: Merv

• Prev by Date: Re: Cisco ASA Syslog Messages
• Next by Date: Portchannel Link resets often at 5:00am
• Previous by thread: Re: Cisco ASA Syslog Messages
• Next by thread: Re: Cisco ASA Syslog Messages
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Cisco ASA Syslog Messages ... syslog log files and alert us based on specific queries. ... reviewing the documentation regarding the ASA/PIX syslog format and it ... look for in the logs. ... (comp.dcom.sys.cisco) Re: Cisco ASA Syslog Messages ... syslog log files and alert us based on specific queries. ... however was not written to read Cisco syslog specifically so we have ... look for in the logs. ... (comp.dcom.sys.cisco) RE: audit trails for file access ... I actually use NTSyslog to send my logs off to a syslog server, ... On the syslog server side, I use syslog-ng to log to a MySQL database. ... In regards to logging to another machine, use the Eventlog to Syslog ... (Focus-Microsoft) Re: Windows event auditing and reporting ... Log to Syslog translators and subsequent Syslog reporting tools. ... Once you get your logs into a generally vendor-agnostic format such as ... Event logs, especially DC logs for events such as New user accounts, ... Computer Emergency Response Teams, and Digital Investigations. ... (Security-Basics) Cisco ASA Syslog Messages ... syslog log files and alert us based on specific queries. ... reviewing the documentation regarding the ASA/PIX syslog format and it ... look for in the logs. ... (comp.dcom.sys.cisco)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.dcom.sys.cisco  > 2007-09