Solved

Perl Script Cisco ASA Logs

Posted on 2011-02-22
30
1,639 Views
Last Modified: 2012-05-11
Hi there,

I am currently looking for a perl script which could be run from a Linux machine, that connects to a Cisco ASA 5520 and saves the security Logs into a Windows Share and finally that runs twice at day using crontab feature.  

I am planing to run the script from a Debian Lenny server.
0
Comment
Question by:Islandr
  • 12
  • 8
  • 5
  • +3
30 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Isn't it easier to run a syslog server and let the ASA send the logs to that server (where they can be saved)?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
agree with erniebeek.
Another option might be to use SNMP to pool the ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

If your linux system has iptables running, you need to allow udp porto 514 in.

0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
oh if you insist on using perl, there is a Net::Telnet:CISCo mdule which might provide the interface functions or you can use socket to establish the connection and then exchange commands.
0
 

Author Comment

by:Islandr
Comment Utility
Arnold,

I know that part, and I would like to use perl for this, I would like to know if there is a script for this or any other script Linux based on any other language, that is if is not possible using perl.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Which part in perl are you looking for?
Are you looking for parsing the syslog or the file to which the syslog process writes the data reported by the ASA or are you looking for a perl script that will connect to the ASA, execute commands to show logentries. and then perform the tasks you want?
You could also configure the ASA to generate SNMP traps for events of interest to you where you would not need to crunch the log to determine if a particular event occurred given the SNMPTRAP when sent mean that the event has occurred.
0
 

Author Comment

by:Islandr
Comment Utility
Arnold,

I am looking for a script which connect to the ASA, executes the commands (security logs) and dump the security logs into a share, the script should be schedule to run twice at day (and this is because the company policy), I can accomplished this by using crontap in Linux.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
http://nettelnetcisco.sourceforge.net/docs.html
http://search.cpan.org/~joshua/Net-Telnet-Cisco-1.10/Cisco.pm

perl -MCPAN -e 'install NET::Telnet::Cisco'

There are examples, for show version, in your case you will run the 'security logs' and then process the response line by line.
0
 

Author Comment

by:Islandr
Comment Utility
Folks,

After testing and configuring my Linux server I followed your directions and this is as test what came up to:

#!/usr/bin/perl

use Net::SSH::Perl;


$host = "xxx.xxx.xxx.xxx";
$username = "admin";
$login_passwd = "password";
$enable_passwd = "pass";

$session = Net::SSH::Perl -> new($host);
$session -> login($username, $login_passwd);
# $session -> cmd(.enable $enable_passwd);
               @output = $session->cmd("show version");

#@output = $session -> cmd($show);
$session -> close;
return @output;

After running the script, I got an errors message below, remember I am at least trying to connect and run a simple command to see if works and then run the cisco commands that I would like to really run.

Please let me know what I am doing wrong.


Selected cipher type  not supported by server. at ./script.pl line 14

#!/usr/bin/perl

use Net::SSH::Perl;


$host = "xxx.xxx.xxx.xxx";
$username = "admin";
$login_passwd = "password";
$enable_passwd = "pass";

$session = Net::SSH::Perl -> new($host);
$session -> login($username, $login_passwd);
# $session -> cmd(.enable $enable_passwd);
               @output = $session->cmd("show version");

#@output = $session -> cmd($show);
$session -> close;
return @output;

Open in new window

0
 

Author Comment

by:Islandr
Comment Utility
Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Well, that might be company policy, but you should think about it.  

What if your ASA's log only holds an hours worth of data?  

What if your ASA's log holds 3 days worth of data?

You may want to think about what the intent of the policy, not the exactly what it states.

I am sure the intent is to keep a copy of the log.  In which case setting up a syslog server and having the ASA send everything to it.

You can get Kiwi for free from Solarwinds.
0
 
LVL 2

Expert Comment

by:mwblsz
Comment Utility
well, perl script is used to poll some status info from ASA using SNMP, like interface speed, bandwidth use, arp table and so on. If you want to collect the log, all you have to do it setup a logging server, almost all popular logging server software support cisco stuff, so you just need to config the logging server accordingly and enable logging on ASA (sth like logging server x.x.x.x), and you are all set, it is that simple.

sincerely
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
I wonder if you're actually looged into the device properly. "Selected cipher type not supported" sounds like your ssh session has not initiated properly.

I once worked out how to print the output of each line of $session so that I could see what was happening but I can't remember how. It might be something like
print ($session -> login($username, $login_passwd));
print (@output = $session->cmd("show version"));

but it might not...
0
 

Accepted Solution

by:
Islandr earned 0 total points
Comment Utility
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
If that is what you want to do, but it seems a bit unusual to me to spend over a week to create a script do something that:

You could have spent 30 minutes doing with one configuration option, and a couple ACL's on the ASA box and use a  Linux box as a syslog server.

Does NOT guarantee that you will actually save off all syslog messages, since you have stated that they are getting full.

I would suggest that you really go back and look at using syslog.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Islandr
Comment Utility
giltjr,

Could you assist me with this?  Beside the script, my company wants syslog server, I have a debian server for this, what would be the right path in order for me to configure a syslog server on debian and how do I configure the ASA for a syslog server.

Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Here is doc on how to get PIX/ASA V7.x to do syslog:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

If you are running V8, let me know and I will loof

You can easily configure the ASA to use a syslog server you can issue the commands:

logging "interface" host 10.10.10.10
    logging trap "severity_level"
    logging facility "number"

"interface" is the name of the interface that this traffic needs to flow over.  Normaly this would be "inside", but you could have named your "inside" interface something else.

The "severity_level" and "number" are define what level of messages you want to log.  The list is of valid levels and numbers are:

0 = emergencies
1 = alerts
2 = critical
3 = error
4 = warning
5 = notification
6 = informational
7 = debugging


You also need an acl in your access list that looks something like:

access-list 101 permit udp host 10.10.10.100 host 10.10.10.10 eq 514

Where 10.10.10.100 is your ASA's IP address and 10.10.10.10 is the IP address of your syslog server.

debian should already have a syslog server running, but you may want your ASA stuff to go to a different log.  You can add:

local4.*                        /var/log/pix.log

to your syslogd.conf file and this should do it.  You can review most of this stuff at:

     http://wiki.linuxservertech.com/index.php/PIX_501_Logging_to_Syslog_Server


Although it says PIX 501, it the same basic stuff for ASA.

You can also read up at:

http://www.sans.org/reading_room/whitepapers/logging/cisco-pix-log-analysis-university-setting_32849

0
 

Author Comment

by:Islandr
Comment Utility
Alright, I am going to, test this, I will keep you post it.

thanks,
0
 

Author Comment

by:Islandr
Comment Utility
giltjr,

I follow your instructions above and I combined them with this one below, and the reason is because I need UI to see the logs and the activity, and splunk has a free feature that will allow me to do that.

http://www.syslog.org/wiki/uploads/Syslog-ng/syslogng-and-splunk.pdf

But I am getting an error on the below line part

local4.*                        /var/log/pix.log

I am using Syslog-NG already I am not using syslogd, so could you lead me from here please.

Thanks,
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The white space between local4.* and /var/log/pix.log should be tabs and not spaces.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Well you can use any utility (vi) to see the logs.

Now, Spluk does offer indexing.  The free version will index up to 500MB of log data a day, if you have more than that you need to get a license.

I have not used Syslog-NG, but after a quick search it seem to use different configuration options, so you don't use:

     local4.*                        /var/log/pix.log

You need to use what the link you followed shows you.
0
 

Author Comment

by:Islandr
Comment Utility
giltjr,

Alright, my next question is how to add the logs that I am capturing from the ASA device to my syslog-ng which I think is being capture and how to add it to splunk.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Well you have 3 options:

1) Have ASA send to syslog-ng only and have syslog-ng forward to Splunk.
2) Have ASA send to Splunk only.
3) Have ASA send to syslog-ng and Splunk.

Unless there is a reason to send to syslog-ng, I would just forward to Splunk.  I have not setup Splunk, we have it, I just an "end-user" though.  All I did on the networking devices is forward to the server that Splunk is running on and it is running as they syslog server on that box.

0
 

Author Comment

by:Islandr
Comment Utility
The reason is that they do not want to spend the money with splunk, but it has a free feature and is that you can see the logs, I just followed the steps in the document and work at some point however, I am able to add the fifo and files, but I can not see anything yet.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Like I said, for up to 500 MB's a day its free.  

In fact it will collect as much log data as you can send it in the free version.  What it will stop doing after 500MB is the indexing.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I would say that if you were offloading the ASA log only twice a day, that you either have a LOT less that 500MB of information a day or you were missing a lot of information.  I don't think that the buffer on the ASA box can old that much data.
0
 

Author Comment

by:Islandr
Comment Utility
giltjr,

I completed the commands stated above in the ASA

logging host inside xxx.xxx.xxx.xxx
logging trap informational
logging facility

and then I created the access list which is
access-list inside-out permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 514

My next question is should I create a logging trap for every "severity_level"
for example I already have informational should do just
logging trap critical
without typing the
logging host inside xxx.xxx.xxx.xxx
logging facility

Right now I am getting the logs from the ASA the problem with splunk was that I created some directories and told splunk to look in there, but then I went to /var/log/syslog and that's where everything went.

But now I am just seeing logs from this morning not in real time.

Any Thoughts?


0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
No, don't create a logging trape for every level.  The logging level include everything "below" it, where 0 is the lowest and 7 is the highest.

So if you include:

     logging trap critical

You get critical, alerts, and emergency.  If you do:

     logging trap informational

You get emergencies, alerts, critical, error, warning, notification, and informational.  It could be close to real time.  There may be some delay, but not a lot.
0
 

Author Closing Comment

by:Islandr
Comment Utility
Question answered in the link posted.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

There are many situations when we need to display the data in sorted order. For example: Student details by name or by rank or by total marks etc. If you are working on data driven based projects then you will use sorting techniques very frequently.…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now