Category Archives: ASA

Grepping ASA syslogs, Part 2

Following up on (what is now) Part 1 of this subject….

So the request about finding out when so-and-so had logged on to the VPN came in again. This time I needed to go back two weeks. No problem. On our syslog server, it’s only 19.1 Gb of files. One command, ten minutes, right?

Sure, if you’re good with grep and regular expressions, which I am not. Eventually it did only take one command. But it took me about two hours and learning a little regex. Here is the full command, along with a breakdown.

And yes, this is for me too, when I get asked to do this next month after I’ve forgotten how to do it (again).

grep -E "71600[1-2]: Group <Employees> User <cgates>" -d recurse c:syslog

To begin, I used grep for Windows on our syslog server (see Part 1).

Next comes the ‘-E’ switch for extended regular expressions.

After that is the regular expression itself. The event number 716001 is for ASA logon events, and 716002 is for logoff events. By using the range [1-2], we catch both events where the tunnel group = Employees and the user = cgates. The whole expression, minus the bracketed range, is a string snippet pulled from the actual  syslog entries (below).

2012-03-09 14:21:57 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716001:
Group <Employees> User <cgates> IP <2.2.2.2> WebVPN session started.
2012-03-10 01:22:11 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716002:
Group <Employees> User <cgates> IP <2.2.2.2> WebVPN session terminated.

This string is common to both types of events, so we can them both with one command.

Next comes the ‘-d’ switch telling grep to look in a directory as the input file, followed by the action ‘recurse’, so it will work its way through all 19 GBs of files found there. And finally comes the syslog directory itself ‘c:/syslog’.

This worked magic for me. May it work magic for you too.

Advertisements

Cisco ASA OS real-time logging bug – FIXED

For a few months now, my ASA’s ASDM real-time log debugger has been giving fits. More specifically, it’s been displaying exactly NOTHING. Look at the ASDM real-time log viewer, and … nada. It was running OS version 8.2.1 with ASDM 6.2.3. This combo was not the default – I upgraded them from OS 7.x and ASDM 5.x.

A few intensive Google searches pointed to an 8.2.x OS bug. Not much to be done about it, except  maybe open a TAC case a hope for the best. Oh yeah, you could always open the ASDM log-buffer viewer and hit F5 a lot.

Well, we ended up ordering a new ASA 5510, and it came from Cisco with OS 8.2.3 and ASDM 6.2.1. Guess what? ASDM real-time log viewer works with this combo! Looks like it was an ASDM issue rather than an OS issue.

FIX: Changed ASDM on old ASA to 6.2.1. Whew. A LOT easier than upgrading the OS.

Grepping ASA syslogs for AnyConnect client logon/logoff activity

Ran across a Quick Question the other day: “Hey, can you quick tell me when so-and-so has been on the vpn in the last week?” Everybody knows a quick question is anything but. This was no exception.

The quick answer is “Sure, just let me look in the syslogs. Hang on.” To my genuine surprise, the syslogs we very large. 2+ Gbs for each day – way too large just to search in Notepad++ (Notepad and Wordpad actually refused to open the file). So, I quick learned to use GNU32 Grep for Windows.

Once I figured that out, the next trick was to figure out what to grep for. Of course, if you’re syslogging the right classes, this helps tremendously (wink wink). In addition to the default syslog classes, I  had added the following:

logging class auth trap informational
logging class vpdn trap informational
logging class vpn trap informational
logging class vpnc trap informational
logging class webvpn trap informational

Turns out that class vpnc (VPNCLIENT) is not what you think. I’m was thinking this is for the remote access client activity, like AnyConnect activity. Wrong. It’s most for EZVPN setups. For remote access activity, class webvpn is what you want. Specifically, message 716001 is for logon events, and 716002 is for logoff events.

We’re using ASA software version 8.2.1, and Cisco syslog message documentation explains these messages like this:

716001
Error Message %ASA-6-716001: Group group User user IP ip WebVPN session started.
Explanation: The WebVPN session has started for the user in this group at the specified IP address. When the user logs in via the WebVPN login page, the WebVPN session starts.

716002
Error Message %ASA-6-716002: Group GroupPolicy User username IP ip WebVPN session
terminated: User requested.
Explanation: The WebVPN session has been terminated by a user request.

In Part 2, I’ll go into detail on how to search multiple syslogs files for these events with one command.

How to Configure Cisco ASA for Websense

Had to put this together this morning. Actually it’s quite simple – you too can do it in 5 minutes.

Here is Websense’s official support on the issue: Configure PIX/ASA firewall for Websense integration

I primarily use the ASDM to configure our ASA, since the configuration, with all it’s access rules, NATs and network/service objects get a little cumbersome to scroll through in the cmd line. This ASA uses Software Version 8.2.(1) with ASDM Version 6.2(3).  To configure it via the ASDM, do the following:

  1. Configuration – Firewall – URL Filtering Servers – setup the host that Websense is running on. Ours is a VM, and we used the protocol UDP 4.
  2. Configuration – Firewall – Filter Rules – setup what you want to filter. We just used http and https, nothing fancy.

This will give you the basic configuration. If you need more details, or are doing cool stuff like filtering custom ports, the Websense doc should point you in the right direction.