Archive for September, 2010

17 September, 2010

Altering [Custom] Syslogs on a Cisco ASA 5550

by gorthx

Since last time, I’ve made a couple of additions to my event list, and my custom logging filter now looks like this:

vpn# sh run | include logg
logging enable
logging timestamp
logging list gabs_test level notifications
logging list gabs_test message 713228
logging list gabs_test message 113006
logging list gabs_test message 302010
logging list gabs_test message 113005
logging trap gabs_test
logging asdm informational
logging facility 22
logging host internal [ip]

I’d also like to capture the user’s client, which is specified in this message:
%ASA-6-713184: Group = [group], Username = [user], IP = [internal_ip], Client Type: Linux Client Application Version: whatever

I need to disable the filter anyway while I add the new message, so I’ll just re-write the event list with the messages in numerical order.* I’m also going to do this from the command line, because it is so much faster than going through the ASDM gui:
vpn# config t
vpn(config)# ! disable the logging filter by setting the level
vpn(config)# ! back to notifications while we work
vpn(config)# logging trap notifications
vpn(config)# ! remove the logging filter entirely
vpn(config)# no logging list gabs_test
vpn(config)# ! re-create filter with additional messages
vpn(config)# logging list gabs_test level notifications
vpn(config)# logging list gabs_test message 113005
vpn(config)# logging list gabs_test message 113006
vpn(config)# logging list gabs_test message 302010
vpn(config)# logging list gabs_test message 713184
vpn(config)# logging list gabs_test message 713228
vpn(config)# ! re-enable the filter
vpn(config)# logging trap gabs_test
vpn(config)# exit

make sure it looks right with ‘sh run | include logg’ and save it with ‘write’ or ‘copy run start’.


*Neatness counts, people!

3 September, 2010

Configuring [Custom] Syslogs on a Cisco ASA 5550

by gorthx

Configuring logging on a Cisco ASA 5550 isn’t too tricky, but I found the docs lacking in examples, so figured I’d post mine.

Using the Cisco ASDM, the parameters you need to modify are in the Configuration -> Device Management -> Logging hierarchy. (I’m sorry there aren’t any pictures to go with this; hopefully you can follow along via the breadcrumbs in the ASDM.)

1. First, enable logging:
Configuration -> Device Management -> Logging -> Logging Setup
Make sure the “Enable Logging” box is checked.

2. Specify parameters for the destination server:
Configuration -> Device Management -> Logging -> Syslog Servers
Click “Add”.
Select the source interface (probably “internal”).
Enter the IP address of the server.
Select an appropriate protocol & port (UDP and 514 are the defaults).

3. Configure your logging facility:
Configuration -> Device Management -> Logging -> Syslog Setup
Choose your facility (0-7). Because I have one central server that handles all my logging, I usually set this to something special to allow me to split out the messages into different log files. (This is a configuration parameter in /etc/syslog.conf and is covered in another post.)

4. Configure the severity level you want to log:
Configuration -> Device Management -> Logging -> Logging Filters
Select “Syslog Servers” and click “Edit”.
Filter on Server -> Notifications (logging level 5 – you’ll get every message between Emergency and Notification levels, inclusive.)

Verify that you are receiving messages on the syslog server. You can stop here if this is all you want.

We, however, decided that we wanted to include these messages:
%ASA-6-713228: Group = [group], Username = [user], IP = [external_ip], Assigned private IP address [internal_ip] to remote user
…but these are “informational” messages (note the “6” in the second message field). So we tried bumping up our logging level, and were promptly overwhelmed with a lot of other stuff we didn’t want to read. (Informational level is chatty.) What we really want is to log at the Notification level, but also include messages with ID 713228.

Tip: don’t rely on the syslog message reference (or on this post, for that matter) to tell you which messages you might want to log – look at your own logs. The message texts in the logs won’t necessarily match those in the docs.

There are a couple of ways to configure custom logging of this type:

1. Simplest:
Configuration -> Device Management -> Logging -> Syslog Setup
Find the message ID (713228 in our case) in the “Syslog ID Setup” window.
Select the message ID, click “Edit” and change the level to “Notifications”.
Click “OK” to finish.

Apply and save your changes.

Here’s what Option #1 looks like from the cli:
vpn# sh run | include logging
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging facility 22
logging host internal [ip]
logging message 713228 level notifications

(Logging facility 22 corresponds to local6; see http://en.wikipedia.org/wiki/Syslog)

OR

2. More complex:
Configuration -> Device Management -> Logging -> Event Lists
Click “Add”.
Give it a name (no spaces), eg gabs_test.

Configure the base event class and/or severity:
Under “Event Class/Severity Filters”, click “Add”.
Leave “Event Class” set to “All”*; select “Notifications” under “Severity”; click “OK”.

*Apparently the first three numbers of the message are associated with the event class, but I was unable to find a reference doc that specified which were which. That doesn’t matter here because we want all Notifications, regardless of event class.

Then add the additional specific message ID we’re interested in:
Under “Message ID Filters”, click “Add”, then enter the message ID (again, 713228); click “OK”.

Click “OK” one more time to save your new Event List.

Now apply the Event List you just created to the appropriate destination (syslogs, in our case):
Configuration -> Device Management -> Logging -> Logging Filters
Select “Syslog Servers” and click “Edit”.
Check the “Use Event List” button, select your list, and click “OK”. Notice that the event list now appears in the “All Event Classes” field.

Apply and save your changes.

Here’s what Option #2 looks like from the cli:
vpn# sh run | include logging
logging enable
logging timestamp
logging list gabs_test level notifications
logging list gabs_test message 713228
logging trap gabs_test
logging asdm informational
logging facility 22
logging host internal [ip]

Why would you select one method over the other? Method #1 is certainly easier, but it does require you to remember that you’ve altered the default behavior. Method #2 is a bit more complicated to set up, but it’s more obvious that you’re doing something special due to the “Event list” keyword in the Logging Filters page, so that’s the method I ultimately chose.

Tip: You can’t rename or copy a filter (boo!) so choose your name carefully.

Tip: You also can’t edit a filter while it’s in use – you need to remove it from the destination under “Logging Filters”, apply/save, edit the filter, apply/save, re-enable it for the destination, and apply/save.

Obviously, there is a lot more you could do with this, by creating different custom filters and then applying them to different email destinations. I’ll save that for the next rainy weekend.

Reference: http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/monitor_syslog.html

Tags: ,
2 September, 2010

HP 2510p laptop, 2 year review.

by gorthx

I can’t believe I’ve had this laptop for two years & haven’t had to replace the keyboard yet :knock wood: despite my attempts to feed it some wine one evening.

I’ve dropped it once, from about 2 feet, onto pavement. The hinge cracked, but it still works.

The buttons on the touchpad are losing their oomph.

The fan is pretty noisy, and that has started to get to me over time.

Other than that, it’s still going strong.

Tags: