Monthly Archives: March 2012

Grepping ASA syslogs, Part 2

Following up on (what is now) Part 1 of this subject….

So the request about finding out when so-and-so had logged on to the VPN came in again. This time I needed to go back two weeks. No problem. On our syslog server, it’s only 19.1 Gb of files. One command, ten minutes, right?

Sure, if you’re good with grep and regular expressions, which I am not. Eventually it did only take one command. But it took me about two hours and learning a little regex. Here is the full command, along with a breakdown.

And yes, this is for me too, when I get asked to do this next month after I’ve forgotten how to do it (again).

grep -E "71600[1-2]: Group <Employees> User <cgates>" -d recurse c:syslog

To begin, I used grep for Windows on our syslog server (see Part 1).

Next comes the ‘-E’ switch for extended regular expressions.

After that is the regular expression itself. The event number 716001 is for ASA logon events, and 716002 is for logoff events. By using the range [1-2], we catch both events where the tunnel group = Employees and the user = cgates. The whole expression, minus the bracketed range, is a string snippet pulled from the actual  syslog entries (below).

2012-03-09 14:21:57 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716001:
Group <Employees> User <cgates> IP <2.2.2.2> WebVPN session started.
2012-03-10 01:22:11 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716002:
Group <Employees> User <cgates> IP <2.2.2.2> WebVPN session terminated.

This string is common to both types of events, so we can them both with one command.

Next comes the ‘-d’ switch telling grep to look in a directory as the input file, followed by the action ‘recurse’, so it will work its way through all 19 GBs of files found there. And finally comes the syslog directory itself ‘c:/syslog’.

This worked magic for me. May it work magic for you too.

Advertisements

CareerWise: How to approach IT

How DO you approach IT? You approach it by knowing it’s an endless learning cycle. And the sooner and more consistently you commit to this, the more successful you’ll be.

Without getting too far afield philosophically, The same natural laws that affect Life affect IT.

“We cannot become what we need by remaining what we are.”  – John C. Maxwell

“Change is inevitable. Growth is optional.”  – John C. Maxwell

Bigger and bigger challenges are bound to come, and the work you do now will prepare you to embrace more complex challenges in the future. In your 20’s, you can probably conceive of projects that would take four or six years to finish (think Bachelor’s or Master’s degrees). This helps condition you for later in life, when you may undertake projects that require 20+ years to complete (think raising kids).

IT, like Life, changes at a phenomenal pace. And you need to keep up, not only with your technical skills, but with those oh-so-important soft skills as well. How do you adjust your communication depending on who you’re talking to? How well you can persist when trying to solve the seemingly Unsolvable Problem? Do you think calmly, and contribute effective, problem-solving action during a severe IT crisis? How well can you manage multiple, complex tasks all with different deadlines and priorities?

All of these contribute just as much to your professional success as  your technical knowledge.

  • Communication. This is crucial. After all, what do networks enable? Communications. All sorts of communications: written, audio, video. If communications are that important, shouldn’t you be good at it too? Of course. You are going to talk (email/text/IM/twitter/blog) to a wide variety of people, all of whom have different levels of technical understanding, come from different disciplines, are different ages and have different backgrounds. You can’t explain the something the same way to everyone: Annalisa from Accounting will NOT comprehend how an MTU mis-match is affecting SQL Report Viewer’s behavior over the VPN to the branch office. So learn  the differences of your audience, and communicate to them in terms they best understand.
  • Persistence. After the flash of inspiration, persistence is the other 99% of Genius. And it will carry the day. One of most common traits I’ve found in very good IT folks is that they don’t give up when faced with difficult problems. They may get frustrated, but they don’t stop. Resources abound to help you. When syslogs and debugs and Wireshark fails, Google is a great place to turn. Senior techs will appreciate you a lot (trust me) when you come to them with a problem AND the solutions you’ve tried so far. They’ll much more inclined to help you knowing you’re a self-starter who tries to solve problems on your own. Persistence isn’t something you learn through books, it’s a habit you develop by practice.
  • Thinking. This is Big Kahuna. It’s vital, especially in emergencies. In the day-to-day office mode, your critical thinking skills are important, and you use them all day long: root cause analysis, cause and effect,  process sequencing, scientific reasoning. Heavy stuff, but in an everyday environment, you can take as much time as you need. In an emergency however, everything is compressed and accelerated. How well you can weed out the extraneous (like you boss who’s freaking out) and identify the essential problem and laser-focus on its solution separates you from the competition. And it makes for great stories when prospective employers ask you “Tell me about a time when…”.
  • Task Management. In an ideal world, you’d only get one project or trouble ticket at a time, they’d never overlap, and you’d have more than enough time to do what’s needed. Of course, that never happens. Ever. More likely you’ll have multiple projects at once, in addition to super-complex trouble tickets piling up and all due at the same time.  You will NEED a personal task management system (a personal knowledge base would be a great idea too). There is just too much information to remember. It really is that simple.  Everyone develops their own personal system -over time you’ll find what works best for you. For me, Outlook Tasks work well. You can make them as complex as necessary, include Due Dates, customize Reminders, and most important, everything is archived and searchable – for the future, when  you won’t be able to remember the details…

This list is of course not complete. Each of these items could become a post by themselves. Like any profession, success in IT requires a host of skills, both professional and personal, these included. But, like any athlete, musician or artist, you longer you work at it, the better you’ll become. Daily reading and study will pay dividends you can’t anticipate. Each day builds on the other, and over time, you’re better than you’d expect.

TACACS+, Part 3: Network device config

In this final post about TACACS+, I’ll go into detail about the router/switch configuration, including an ASA and Dell PowerConnect switches. In case you missed the previous two posts, you can find them here:

TACACS+ Part 1 – Choosing the Version

TACACS+ Part 2 – tac_plus install and config

For routers and switches, there are three important config components; aaa new-model, tacacs-server and line configuration. The config snippet below configures all three, and also sets up TACACS+ for use on the console port as well. In the ‘aaa authentication’ section, the router is set to call the TACACS+ server first, and if no valid usernames are found, check local usernames.

Although, I discovered some interesting behavior: the router will always attempt to contact the TACACS+ server, even if its unreachable. And the only time the local usernames will work is when the TACACS+ server can’t be reached.

So far, this snippet has worked on IOS 12.2, 12.4 and 15.0.

aaa new-model
!
aaa authentication login tac_plus1 group tacacs+ local
aaa authorization console
aaa authorization exec tac_plus2 group tacacs+ local
!
tacacs-server host 192.168.1.1
tacacs-server host 192.168.1.2
tacacs-server key **password_goes_here**
!
line con 0
 authorization exec tac_plus2
 login authentication tac_plus1
line vty 0 4
 authorization exec tac_plus2
 login authentication tac_plus1
 transport input telnet ssh

On Dell PowerConnect switches, the configuration is a little easier, save for specifying the TACACS+ port number, and including a source address for the traffic.

conf
!
aaa authentication login tac_plus1 tacacs local
tacacs host 192.168.1.1 port-number 49 priority 10
tacacs host 192.168.1.2 port-number 49 priority 20
tacacs key **password_goes_here**
!
tacacs source **mgmt_ip_address**
!
line telnet
login authen tac_plus1
line ssh
login authen tac_plus1
line con
login authen tac_plus1

And finally, directions for the ASA. No doubt security blue bloods will decry me for using the ASDM (“Real pros use cli…”), but I find it easier to visualize the rules sets in ASDM versus cli. These directions won’t elevate your login permission to level 15 though, so you’ll still have to enter the enable secret on the cli. If you figure out how to elevate the login permission, let me know!

1. Create a AAA_Server Group for the tac_plus servers
2. Go to AAA_Access and set the Server Group for
   ASDM,https and serial access under the Authentication tab.