Grepping ASA syslogs, Part 2

Following up on (what is now) Part 1 of this subject….

So the request about finding out when so-and-so had logged on to the VPN came in again. This time I needed to go back two weeks. No problem. On our syslog server, it’s only 19.1 Gb of files. One command, ten minutes, right?

Sure, if you’re good with grep and regular expressions, which I am not. Eventually it did only take one command. But it took me about two hours and learning a little regex. Here is the full command, along with a breakdown.

And yes, this is for me too, when I get asked to do this next month after I’ve forgotten how to do it (again).

grep -E "71600[1-2]: Group <Employees> User <cgates>" -d recurse c:syslog

To begin, I used grep for Windows on our syslog server (see Part 1).

Next comes the ‘-E’ switch for extended regular expressions.

After that is the regular expression itself. The event number 716001 is for ASA logon events, and 716002 is for logoff events. By using the range [1-2], we catch both events where the tunnel group = Employees and the user = cgates. The whole expression, minus the bracketed range, is a string snippet pulled from the actual  syslog entries (below).

2012-03-09 14:21:57 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716001:
Group <Employees> User <cgates> IP <2.2.2.2> WebVPN session started.
2012-03-10 01:22:11 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716002:
Group <Employees> User <cgates> IP <2.2.2.2> WebVPN session terminated.

This string is common to both types of events, so we can them both with one command.

Next comes the ‘-d’ switch telling grep to look in a directory as the input file, followed by the action ‘recurse’, so it will work its way through all 19 GBs of files found there. And finally comes the syslog directory itself ‘c:/syslog’.

This worked magic for me. May it work magic for you too.

Advertisements

One thought on “Grepping ASA syslogs, Part 2

  1. Pingback: Grepping ASA syslogs for AnyConnect client logon/logoff activity | GatesTec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s