Syslog collecting and analyzing

Unanswered Question
Jun 3rd, 2009


What suggestions is for syslog collecting and analyzing for ASA 5510? I mean --

(1) syslog server software suggestions (on Windows platform)? and

(2) software for analyzing?

Any experiences? Good ones, I hope! =)

More thanks, Alar.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Wed, 06/03/2009 - 14:33

If you can find 3Com's 3cdaemon is also another alternative and it's free.

scottmac Thu, 06/04/2009 - 04:33

3CDaemon is great as a utility (TFTP, FTP, and syslog), but it has some massive security issues, and should not be used as a standing application (unless you are in a very secure environment).

Kiwi is pretty hard to beat on Windows. For *nix, I've had great luck with Rsyslog (and it's free).

Depending on the type of analysis you'e looking to do, the "pay for" version of Kiwi may be more desirable. FOr example, if you intend to report on what you know will be an extremely large volume of data, the purchased version of Kiwi will let you put your collected syslog info directly into an SQL database ... much easier (and much FASTER, as a rule) than trying to manipulate flat files. Kiwi provides the table structure and scripts to set up the database for most of the popular DBs.

hobbe Thu, 06/04/2009 - 06:32

For windows. kiwi syslog, you just cant beat it.

start out with the free version and then when you get a hang of it then you can get the full version.

I use Grep to get information into manageble chunks then i view it with notepad.

but there are several different software, kiwi have som that might help you.

ps solarwinds have bought kiwi.

Alar Pandis Fri, 06/05/2009 - 01:05

Hi and thanks to All!

Kiwi it is, probably. MARS ... I have no doubts it is excellent, but I suppose prices is also ... And, well, we don't have enough complex network here! We just need to keep records on activity and need to have some insight view (alerts etc.) what is going on.

More thanks, Alar.

Alar Pandis Sun, 06/07/2009 - 06:18

Hi again! Setup Kiwi.

I'd add timestamp to syslog messages. I thought when Kiwi is down ASA does keep log in queue buffer and when Kiwi (well, any syslog) is up it does send info to syslog where it was broken, but ... I'd stop Kiwi for a minute and set some activity from ASA side and then started Kiwi again, but ... no missed log appear in Kiwi. Something I missed with ASA conf? I have set max buffer size and also unlimited queue size when syslog server is busy. I need keep those missed messages, because sometimes syslog server may be ... down for a ... while.

Any ideas,


scottmac Sun, 06/07/2009 - 11:45

By default, syslog uses UDP (no session, connectionless, send & forget).

When you tell a device to use syslog, there is no verification, other than possibly a ping to verify reachability).

You can set up the ASA to buffer and send syslog, but the buffer is circular ... meaning that once the buffer is used up, it goes back to the beginning of the buffer and starts overwriting the old information.

Alar Pandis Sun, 06/07/2009 - 23:48

Hi and thanks!

(1) Does setting up TCP connection for syslog make any different?

(2) So, then (when I use Kiwi) is no point to set ASA to send timestamp? Is that correct?

(3) I have enough memory for buffer, but probably this does not make any different either? I mean, when syslog server is for few moment unreachable this rows is lost? Is that correct?

Well, then is probably better to have several syslog server up and running!?

More thanks, Alar.

hobbe Tue, 06/09/2009 - 03:19

syslog works like this.

it uses UDP and basically it is fire and forget. there is no status delivered back to the message sender on wheather or not the message have been recieved by the reciepient/s.

However there are instances that calls for more security and more strict logging.

that is possible via syslog over TCP.

there is (or atleast was) an option where you could set that a log had to be written to let the packet traverse the firewall.

However this is a good feature but i think that it way to dangerous incase there is a network or server problem.

Think of it this way everytime you reload the syslog server your internet traffic stops until the syslog server is up and running again.

what you can do fx is to send it to two different hosts.

if they both are down in different timeframes then you couylkd merge the files. To merge then you only have to check timestamps for when it went down and when it came back up and add them to a merged file.

or if you want to do sneaky stuff, you can sniff the syslog traffic, or send it to a broadcast address.

good luck

Alar Pandis Tue, 06/09/2009 - 05:09

Hi and thanks!

Well, then is better indeed just to have several (two would be enough, I think) syslog servers ready and ... Our (EDU) "business" is not so mysterious! =)

More thanks, Alar.

nagel Wed, 06/24/2009 - 05:15

One additional thought....Manage Engine makes a pretty slick Firewall Analyzer. I believe is free to try. I use many of their products and have been fairly satisfied with all.


This Discussion