Solved

Perl Script Cisco ASA Logs

Posted on 2011-02-22
30
1,650 Views
Last Modified: 2012-05-11
Hi there,

I am currently looking for a perl script which could be run from a Linux machine, that connects to a Cisco ASA 5520 and saves the security Logs into a Windows Share and finally that runs twice at day using crontab feature.  

I am planing to run the script from a Debian Lenny server.
0
Comment
Question by:Islandr
  • 12
  • 8
  • 5
  • +3
30 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34954509
Isn't it easier to run a syslog server and let the ASA send the logs to that server (where they can be saved)?
0
 
LVL 77

Expert Comment

by:arnold
ID: 34954652
agree with erniebeek.
Another option might be to use SNMP to pool the ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

If your linux system has iptables running, you need to allow udp porto 514 in.

0
 
LVL 77

Expert Comment

by:arnold
ID: 34954682
oh if you insist on using perl, there is a Net::Telnet:CISCo mdule which might provide the interface functions or you can use socket to establish the connection and then exchange commands.
0
 

Author Comment

by:Islandr
ID: 34955454
Arnold,

I know that part, and I would like to use perl for this, I would like to know if there is a script for this or any other script Linux based on any other language, that is if is not possible using perl.
0
 
LVL 77

Expert Comment

by:arnold
ID: 34956472
Which part in perl are you looking for?
Are you looking for parsing the syslog or the file to which the syslog process writes the data reported by the ASA or are you looking for a perl script that will connect to the ASA, execute commands to show logentries. and then perform the tasks you want?
You could also configure the ASA to generate SNMP traps for events of interest to you where you would not need to crunch the log to determine if a particular event occurred given the SNMPTRAP when sent mean that the event has occurred.
0
 

Author Comment

by:Islandr
ID: 34957261
Arnold,

I am looking for a script which connect to the ASA, executes the commands (security logs) and dump the security logs into a share, the script should be schedule to run twice at day (and this is because the company policy), I can accomplished this by using crontap in Linux.
0
 
LVL 77

Expert Comment

by:arnold
ID: 34960989
http://nettelnetcisco.sourceforge.net/docs.html
http://search.cpan.org/~joshua/Net-Telnet-Cisco-1.10/Cisco.pm

perl -MCPAN -e 'install NET::Telnet::Cisco'

There are examples, for show version, in your case you will run the 'security logs' and then process the response line by line.
0
 

Author Comment

by:Islandr
ID: 34975053
Folks,

After testing and configuring my Linux server I followed your directions and this is as test what came up to:

#!/usr/bin/perl

use Net::SSH::Perl;


$host = "xxx.xxx.xxx.xxx";
$username = "admin";
$login_passwd = "password";
$enable_passwd = "pass";

$session = Net::SSH::Perl -> new($host);
$session -> login($username, $login_passwd);
# $session -> cmd(.enable $enable_passwd);
               @output = $session->cmd("show version");

#@output = $session -> cmd($show);
$session -> close;
return @output;

After running the script, I got an errors message below, remember I am at least trying to connect and run a simple command to see if works and then run the cisco commands that I would like to really run.

Please let me know what I am doing wrong.


Selected cipher type  not supported by server. at ./script.pl line 14

#!/usr/bin/perl

use Net::SSH::Perl;


$host = "xxx.xxx.xxx.xxx";
$username = "admin";
$login_passwd = "password";
$enable_passwd = "pass";

$session = Net::SSH::Perl -> new($host);
$session -> login($username, $login_passwd);
# $session -> cmd(.enable $enable_passwd);
               @output = $session->cmd("show version");

#@output = $session -> cmd($show);
$session -> close;
return @output;

Open in new window

0
 

Author Comment

by:Islandr
ID: 35008954
Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35009012
Well, that might be company policy, but you should think about it.  

What if your ASA's log only holds an hours worth of data?  

What if your ASA's log holds 3 days worth of data?

You may want to think about what the intent of the policy, not the exactly what it states.

I am sure the intent is to keep a copy of the log.  In which case setting up a syslog server and having the ASA send everything to it.

You can get Kiwi for free from Solarwinds.
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 35009019
well, perl script is used to poll some status info from ASA using SNMP, like interface speed, bandwidth use, arp table and so on. If you want to collect the log, all you have to do it setup a logging server, almost all popular logging server software support cisco stuff, so you just need to config the logging server accordingly and enable logging on ASA (sth like logging server x.x.x.x), and you are all set, it is that simple.

sincerely
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 35009597
I wonder if you're actually looged into the device properly. "Selected cipher type not supported" sounds like your ssh session has not initiated properly.

I once worked out how to print the output of each line of $session so that I could see what was happening but I can't remember how. It might be something like
print ($session -> login($username, $login_passwd));
print (@output = $session->cmd("show version"));

but it might not...
0
 

Accepted Solution

by:
Islandr earned 0 total points
ID: 35147772
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35147911
If that is what you want to do, but it seems a bit unusual to me to spend over a week to create a script do something that:

You could have spent 30 minutes doing with one configuration option, and a couple ACL's on the ASA box and use a  Linux box as a syslog server.

Does NOT guarantee that you will actually save off all syslog messages, since you have stated that they are getting full.

I would suggest that you really go back and look at using syslog.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:Islandr
ID: 35149943
giltjr,

Could you assist me with this?  Beside the script, my company wants syslog server, I have a debian server for this, what would be the right path in order for me to configure a syslog server on debian and how do I configure the ASA for a syslog server.

Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35150196
Here is doc on how to get PIX/ASA V7.x to do syslog:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

If you are running V8, let me know and I will loof

You can easily configure the ASA to use a syslog server you can issue the commands:

logging "interface" host 10.10.10.10
    logging trap "severity_level"
    logging facility "number"

"interface" is the name of the interface that this traffic needs to flow over.  Normaly this would be "inside", but you could have named your "inside" interface something else.

The "severity_level" and "number" are define what level of messages you want to log.  The list is of valid levels and numbers are:

0 = emergencies
1 = alerts
2 = critical
3 = error
4 = warning
5 = notification
6 = informational
7 = debugging


You also need an acl in your access list that looks something like:

access-list 101 permit udp host 10.10.10.100 host 10.10.10.10 eq 514

Where 10.10.10.100 is your ASA's IP address and 10.10.10.10 is the IP address of your syslog server.

debian should already have a syslog server running, but you may want your ASA stuff to go to a different log.  You can add:

local4.*                        /var/log/pix.log

to your syslogd.conf file and this should do it.  You can review most of this stuff at:

     http://wiki.linuxservertech.com/index.php/PIX_501_Logging_to_Syslog_Server


Although it says PIX 501, it the same basic stuff for ASA.

You can also read up at:

http://www.sans.org/reading_room/whitepapers/logging/cisco-pix-log-analysis-university-setting_32849

0
 

Author Comment

by:Islandr
ID: 35150291
Alright, I am going to, test this, I will keep you post it.

thanks,
0
 

Author Comment

by:Islandr
ID: 35160966
giltjr,

I follow your instructions above and I combined them with this one below, and the reason is because I need UI to see the logs and the activity, and splunk has a free feature that will allow me to do that.

http://www.syslog.org/wiki/uploads/Syslog-ng/syslogng-and-splunk.pdf 

But I am getting an error on the below line part

local4.*                        /var/log/pix.log

I am using Syslog-NG already I am not using syslogd, so could you lead me from here please.

Thanks,
0
 
LVL 77

Expert Comment

by:arnold
ID: 35161242
The white space between local4.* and /var/log/pix.log should be tabs and not spaces.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35161657
Well you can use any utility (vi) to see the logs.

Now, Spluk does offer indexing.  The free version will index up to 500MB of log data a day, if you have more than that you need to get a license.

I have not used Syslog-NG, but after a quick search it seem to use different configuration options, so you don't use:

     local4.*                        /var/log/pix.log

You need to use what the link you followed shows you.
0
 

Author Comment

by:Islandr
ID: 35162288
giltjr,

Alright, my next question is how to add the logs that I am capturing from the ASA device to my syslog-ng which I think is being capture and how to add it to splunk.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35165537
Well you have 3 options:

1) Have ASA send to syslog-ng only and have syslog-ng forward to Splunk.
2) Have ASA send to Splunk only.
3) Have ASA send to syslog-ng and Splunk.

Unless there is a reason to send to syslog-ng, I would just forward to Splunk.  I have not setup Splunk, we have it, I just an "end-user" though.  All I did on the networking devices is forward to the server that Splunk is running on and it is running as they syslog server on that box.

0
 

Author Comment

by:Islandr
ID: 35166069
The reason is that they do not want to spend the money with splunk, but it has a free feature and is that you can see the logs, I just followed the steps in the document and work at some point however, I am able to add the fifo and files, but I can not see anything yet.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35166882
Like I said, for up to 500 MB's a day its free.  

In fact it will collect as much log data as you can send it in the free version.  What it will stop doing after 500MB is the indexing.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 35167020
I would say that if you were offloading the ASA log only twice a day, that you either have a LOT less that 500MB of information a day or you were missing a lot of information.  I don't think that the buffer on the ASA box can old that much data.
0
 

Author Comment

by:Islandr
ID: 35167256
giltjr,

I completed the commands stated above in the ASA

logging host inside xxx.xxx.xxx.xxx
logging trap informational
logging facility

and then I created the access list which is
access-list inside-out permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 514

My next question is should I create a logging trap for every "severity_level"
for example I already have informational should do just
logging trap critical
without typing the
logging host inside xxx.xxx.xxx.xxx
logging facility

Right now I am getting the logs from the ASA the problem with splunk was that I created some directories and told splunk to look in there, but then I went to /var/log/syslog and that's where everything went.

But now I am just seeing logs from this morning not in real time.

Any Thoughts?


0
 
LVL 57

Expert Comment

by:giltjr
ID: 35167425
No, don't create a logging trape for every level.  The logging level include everything "below" it, where 0 is the lowest and 7 is the highest.

So if you include:

     logging trap critical

You get critical, alerts, and emergency.  If you do:

     logging trap informational

You get emergencies, alerts, critical, error, warning, notification, and informational.  It could be close to real time.  There may be some delay, but not a lot.
0
 

Author Closing Comment

by:Islandr
ID: 35178759
Question answered in the link posted.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now