cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
988
Views
0
Helpful
14
Replies

Syslog collecting and analyzing

Alar Pandis
Level 1
Level 1

Hi!

What suggestions is for syslog collecting and analyzing for ASA 5510? I mean --

(1) syslog server software suggestions (on Windows platform)? and

(2) software for analyzing?

Any experiences? Good ones, I hope! =)

More thanks, Alar.

14 Replies 14

Alar Pandis
Level 1
Level 1

Hi again!

Kiwi Syslog Server?

Must it run on dedicated system?

Alar.

In another environment, I ran it on my workstation PC. You just need enough storage for the syslog files.

Hi and thanks!

You mean Kiwi? Well, that's idea! Is it CPU-intensive?

Alar.

Leo Laohoo
Hall of Fame
Hall of Fame

If you can find 3Com's 3cdaemon is also another alternative and it's free.

3CDaemon is great as a utility (TFTP, FTP, and syslog), but it has some massive security issues, and should not be used as a standing application (unless you are in a very secure environment).

Kiwi is pretty hard to beat on Windows. For *nix, I've had great luck with Rsyslog (and it's free).

Depending on the type of analysis you'e looking to do, the "pay for" version of Kiwi may be more desirable. FOr example, if you intend to report on what you know will be an extremely large volume of data, the purchased version of Kiwi will let you put your collected syslog info directly into an SQL database ... much easier (and much FASTER, as a rule) than trying to manipulate flat files. Kiwi provides the table structure and scripts to set up the database for most of the popular DBs.

hobbe
Level 7
Level 7

For windows. kiwi syslog, you just cant beat it.

start out with the free version and then when you get a hang of it then you can get the full version.

I use Grep to get information into manageble chunks then i view it with notepad.

but there are several different software, kiwi have som that might help you.

ps solarwinds have bought kiwi.

pompeychimes
Level 4
Level 4

Free - Kiwi

Pay - MARS

Hi and thanks to All!

Kiwi it is, probably. MARS ... I have no doubts it is excellent, but I suppose prices is also ... And, well, we don't have enough complex network here! We just need to keep records on activity and need to have some insight view (alerts etc.) what is going on.

More thanks, Alar.

Alar Pandis
Level 1
Level 1

Hi again! Setup Kiwi.

I'd add timestamp to syslog messages. I thought when Kiwi is down ASA does keep log in queue buffer and when Kiwi (well, any syslog) is up it does send info to syslog where it was broken, but ... I'd stop Kiwi for a minute and set some activity from ASA side and then started Kiwi again, but ... no missed log appear in Kiwi. Something I missed with ASA conf? I have set max buffer size and also unlimited queue size when syslog server is busy. I need keep those missed messages, because sometimes syslog server may be ... down for a ... while.

Any ideas,

Alar.

By default, syslog uses UDP (no session, connectionless, send & forget).

When you tell a device to use syslog, there is no verification, other than possibly a ping to verify reachability).

You can set up the ASA to buffer and send syslog, but the buffer is circular ... meaning that once the buffer is used up, it goes back to the beginning of the buffer and starts overwriting the old information.

Hi and thanks!

(1) Does setting up TCP connection for syslog make any different?

(2) So, then (when I use Kiwi) is no point to set ASA to send timestamp? Is that correct?

(3) I have enough memory for buffer, but probably this does not make any different either? I mean, when syslog server is for few moment unreachable this rows is lost? Is that correct?

Well, then is probably better to have several syslog server up and running!?

More thanks, Alar.

syslog works like this.

it uses UDP and basically it is fire and forget. there is no status delivered back to the message sender on wheather or not the message have been recieved by the reciepient/s.

However there are instances that calls for more security and more strict logging.

that is possible via syslog over TCP.

there is (or atleast was) an option where you could set that a log had to be written to let the packet traverse the firewall.

However this is a good feature but i think that it way to dangerous incase there is a network or server problem.

Think of it this way everytime you reload the syslog server your internet traffic stops until the syslog server is up and running again.

what you can do fx is to send it to two different hosts.

if they both are down in different timeframes then you couylkd merge the files. To merge then you only have to check timestamps for when it went down and when it came back up and add them to a merged file.

or if you want to do sneaky stuff, you can sniff the syslog traffic, or send it to a broadcast address.

good luck

Hi and thanks!

Well, then is better indeed just to have several (two would be enough, I think) syslog servers ready and ... Our (EDU) "business" is not so mysterious! =)

More thanks, Alar.

nagel
Level 1
Level 1

One additional thought....Manage Engine makes a pretty slick Firewall Analyzer. I believe is free to try. I use many of their products and have been fairly satisfied with all.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco