I am trying to log everything from my Cisco ASA (firewall) to my new syslog server.
I have fiddled a bit, and I am getting messages into various files in /var/log…so far so good.
What I really want is for all the CiscoASA messages to go into one file under /var/log/ciscoasa and then have logrotate
zip the files every week and then rotate this every 3 months. I assume that the usual server logging
will continue as normal.
As usual, any suggestions, comments etc will be appreciated.
Regards
John
Can you post a sample of your cisco-sourced events? Filtering is pretty
neat in syslog-ng. Another customer tried to do some filtering before,
and this may at least get you started:
Below are some samples of the log files in /var/log/localmessages and /var/log/messages coming from the Cisco ASA 10.1.2.1 to my syslog server 10.1.3.42
I am not too concerned about splitting the data into separate logfiles just so long as “logrotate” will zip the file(s) on a weekly basis and store them for 3 to 6 months.
*** localmessages ***
Nov 11 08:10:46 10.1.2.1 %ASA-7-713906: IKE Receiver: Packet received on 10.5.1.2:4500 from 41.13.146.205:46452
Nov 11 08:10:46 10.1.2.1 %ASA-7-713236: IP = 41.13.146.205, IKE_DECODE RECEIVED Message (msgid=d2b4a40a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Nov 11 08:10:46 10.1.2.1 %ASA-7-715047: Group = cor-ballito-tg, Username = cor_ballito_3G, IP = 41.13.146.205, processing hash payload
Nov 11 08:10:46 10.1.2.1 %ASA-7-715047: Group = cor-ballito-tg, Username = cor_ballito_3G, IP = 41.13.146.205, processing notify payload
Nov 11 08:10:46 10.1.2.1 %ASA-7-715075: Group = cor-ballito-tg, Username = cor_ballito_3G, IP = 41.13.146.205, Received keep-alive of type DPD R-U-THERE (seq number 0x1c8d7e5d)
Nov 11 08:10:46 10.1.2.1 %ASA-7-715036: Group = cor-ballito-tg, Username = cor_ballito_3G, IP = 41.13.146.205, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x1c8d7e5d)
Nov 11 08:10:46 10.1.2.1 %ASA-7-715046: Group = cor-ballito-tg, Username = cor_ballito_3G, IP = 41.13.146.205, constructing blank hash payload
Nov 11 08:10:46 10.1.2.1 %ASA-7-715046: Group = cor-ballito-tg, Username = cor_ballito_3G, IP = 41.13.146.205, constructing qm hash payload
Nov 11 08:10:46 10.1.2.1 %ASA-7-713236: IP = 41.13.146.205, IKE_DECODE SENDING Message (msgid=8f359a6f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Nov 11 08:10:47 10.1.2.1 %ASA-5-304001: 10.6.5.23 Accessed URL 10.1.3.54:http://jde2.corobrik.co.za/jde/css/JSGrid.css
Nov 11 08:10:47 10.1.2.1 %ASA-5-304001: 10.6.5.23 Accessed URL 10.1.3.54:http://jde2.corobrik.co.za/jde/css/RI.css
Nov 11 08:10:47 10.1.2.1 %ASA-7-710007: NAT-T keepalive received from 197.87.79.42/4500 to outside:10.5.1.2/4500
Nov 11 08:10:47 10.1.2.1 %ASA-7-710007: NAT-T keepalive received from 41.13.76.85/54060 to outside:10.5.1.2/4500
Nov 11 08:10:47 10.1.2.1 %ASA-5-304001: 10.1.3.15 Accessed URL ZScaler: http://osce11-ilspn30-p.activeupdate.trendmicro.com:80/activeupdate/pattern/itbldiff_1463000200_1463000300.zip
this then is covered in logrotate’s configuration.
See /etc/logrotate.d/syslog for a sample - if you manage to put these messages in a separate log file (see i.e. ab’s reply), then create a new file in /etc/logrotate.d, where you will set up the rotation similar to the entries in /etc/logrotate.d/syslog.
If you want weekly rotation, use “weekly” instead of maxage:
[QUOTE]weekly Log files are rotated if the current weekday is less than the weekday of the last rotation or if more than a week has passed since the last rotation. This is normally the same as rotating logs on the first day of the
week, but it works better if logrotate is not run every night.[/QUOTE]
If you want to keep the files for half a year, set “rotate” to 26: Keeping 26 weekly files covers about 6 months.
Compression is controlled via “compress” and “compresscmd”. And keep the “postrotate” block, so that syslogd gets restarted. For everything else, see “man logrotate”
another option would be to filter one the message source:
filter f_ciscooasa { host("10.1.2.1"); );
One thing to look out for is if the IP suddenly resolves to a name - then the filter would have to be adjusted (add another condition “… or host( “somenameforASAbox”)…” ).
Thanks for the information, it has been a great help.
I fiddled a bit more and now I am capturing the logs from the Cisco firewall. I will have to see if the logrotate is working.
The only issue is that the files /var/log/messages and localmessages are also getting the log entries.
Can this be turned off so that the Cisco firewall logs only go to the ciscoasa.log file, otherwise the data is duplicated/triplicated.
