Re: ASA log viewer

[Duane Toler <detoler () gmail com>]

On Nov 19, 2011, at 9:05 PM, Jonathan Lassoff <jof () thejof com> wrote:

Ah, this totally makes sense now. I can see why you'd want to use features
that are already on your ASAs. Sounds like a bug to me, though.
I wonder what Cisco calls syslog-tls though. Syslog-like packet bodies,
over a TLS-wrapped TCP socket?

Sorry to hear it's been so unreliable -- I guess that's why I'm biased
towards just running generic PCs and open source software for this kind of
stuff; when bugs happen, you're actually empowered to debug and fix
problems.


Yep all of our other gear is Linux for that reason (plus Mac OS on the
desktop so things "just work").

Cisco called the syslog-TLS stuff just "syslog" plus a "secure" parameter,
and port 1470 by default. ASDM had a fairly helpful interface to get it
configured.  I think it requires the K9 image or whatever it's called to
get the option.


This does indeed sound like a good application for splunk. They have ways
of defining custom logging formats that will parse out simple column and
message types so that you can construct queries based on that information.

There's some more information here in Splunk's docs on custom field
extraction:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions

Cheers,
jof


Sounds promising!  Thanks again!

Sent from my iPad