nanog mailing list archives

RE: ASA log viewer

From: Joe Happe <Joe.Happe () archlearning com>
Date: Sun, 20 Nov 2011 12:42:42 +0000

Completely agree with splunk for log searching / analysis, even has some ASA/PIX modules.  Please note, unless 
something has changed that I completely missed, an ASA/PIX will stop forwarding user traffic if it is configured for 
tcp syslogs and the connection breaks.  (no more disk, network issue, etc) This is based on the premise that a system 
cannot be considered secure if the audit trail is unavailable, and tcp syslogging(vs udp) is usually used to make sure 
you don't miss an entry due to a dropped packet.  Something that dates back to the old C2 security standard??(not sure 
of the current version).   Typically this requires admin intervention (by design) to clear the condition.   If you use 
udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails.  With that said, there may 
be a command I'm unaware of that allows a tcp syslog to fail and not block traffic.  

~jdh

-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder () Opus1 COM] 
Sent: Sunday, November 20, 2011 12:11 AM
To: nanog () nanog org
Subject: Re: ASA log viewer

I'd like to fully search on an 'column', a la 'ladder logic' style.,  >as well as have the data presented in an 
orderly well-defined fashion.


Yes, Splunk.

See:
http://www.networkworld.com/reviews/2011/092611-splunk-test-250836.html

for a recent Network World test of Splunk which may help.

jms


--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms () Opus1 COM                http://www.opus1.com/jms

______________________________________________________________________________________________________

The information contained in this electronic message and any attachments is confidential, 
is for the sole use of the intended recipient(s) and may contain privileged information. 
Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, you must not read, use or disseminate the information, and should immediately 
contact the sender by reply email and destroy all copies of the original message.

Current thread:

Re: ASA log viewer, (continued)
- Re: ASA log viewer Jay Ashworth (Nov 19)
  - Re: ASA log viewer Duane Toler (Nov 19)
    - Re: ASA log viewer Jonathan Lassoff (Nov 19)
- Re: ASA log viewer Mike Lyon (Nov 19)
  - Re: ASA log viewer Beavis (Nov 19)
- Re: ASA log viewer Jonathan Lassoff (Nov 19)
  - Re: ASA log viewer Duane Toler (Nov 19)
    - Re: ASA log viewer Jonathan Lassoff (Nov 19)
    - Re: ASA log viewer Duane Toler (Nov 19)
- Re: ASA log viewer Joel M Snyder (Nov 19)
  - RE: ASA log viewer Joe Happe (Nov 20)
    - RE: ASA log viewer jjanusze () wd-tek com (Nov 20)
    - Re: ASA log viewer Duane Toler (Nov 20)
    - Message not available
    - Re: ASA log viewer Duane Toler (Nov 20)
    - Re: ASA log viewer Jimmy Hess (Nov 20)
    - Re: ASA log viewer PC (Nov 20)
    - Re: ASA log viewer Duane Toler (Nov 21)