In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.
In my syslog server, every firewall logs into its own folder which is subdivided with folders for every year and month (see here). Inside this month-folder, a new file is created for every day. That is, when parsing through all days of a month, the “cat” command looks like cat 2013/01/* while it looks like cat 2012/*/* when parsing through the whole year.
Beside of “grep” for filtering the shown values, I am using also “grep -v” to exclude certain lines.
IPsec VPNs (RA and S2S)
The basic syslog message for VPNs is “713120: IKE Phase 2 has completed successfully.” That is, a list with all VPN-Client users that were logged in at a certain time is shown by the following grep. It also includes the names of the VPN groups:
1 |
cat 2013/*/* | grep ASA-5-713120 | grep Username |
Similar, a concrete username can be requested:
1 |
cat 2013/*/* | grep ASA-5-713120 | grep "Username = JoWeber" |
Example output:
1 2 3 4 5 6 |
Nov 5 08:17:27 10.10.1.1 %ASA-5-713120: Group = Travel-TSC-VPN, Username = SaWeber, IP = 88.123.138.9, PHASE 2 COMPLETED (msgid=40f3af0e) Nov 5 08:23:26 10.10.1.1 %ASA-5-713120: Group = Travel-TSC-VPN, Username = MaSimpson, IP = 84.173.7.186, PHASE 2 COMPLETED (msgid=f42c0d8d) Nov 5 08:51:20 10.10.1.1 %ASA-5-713120: Group = BYOD-VPN, Username = TiBom, IP = 95.155.95.109, PHASE 2 COMPLETED (msgid=1ff86427) Nov 5 08:54:30 10.10.1.1 %ASA-5-713120: Group = Travel-TSC-VPN, Username = JoWeber, IP = 80.169.108.226, PHASE 2 COMPLETED (msgid=f9162b18) Nov 5 09:08:45 10.10.1.1 %ASA-5-713120: Group = Travel-TSC-VPN, Username = SiLucky, IP = 8.199.5.111, PHASE 2 COMPLETED (msgid=9f164f31) Nov 5 09:08:52 10.10.1.1 %ASA-5-713120: Group = Remote-TSC-VPN, Username = SoHome, IP = 177.139.3.15, PHASE 2 COMPLETED (msgid=a6d1a0c0) |
Or, users based/filtered on a VPN group (connection profile), with a new line for every login:
1 |
cat 2013/*/* | grep ASA-5-713120 | grep "Group = ConfiguredGroupName" |
Or, a list with all users that were logged in, but only a list of the VPN users (without each login time). This is done via “sort at the position of the name” and then “uniq entries for the position of the name”:
1 |
cat 2013/*/* | grep ASA-5-713120 | grep "Group = ConfiguredGroupName" | sort -k 10 | uniq -f 10 -w 6 |
For site-to-site VPNs, all events without the “Username” are relevant (grep -v):
1 |
cat 2013/*/* | grep ASA-5-713120 | grep -v Username |
DHCPv4 Server IPv4 Address Granted
To show the MAC-IPv4 address bindings:
1 |
cat 2013/11/07 | grep ASA-6-604103 |
Sample output, which also shows the interface:
1 2 3 4 5 6 |
Nov 7 09:04:09 10.10.1.1 %ASA-6-604103: DHCP daemon interface BYOD: address granted 019c.04eb.1c2f.7a (10.12.92.234) Nov 7 09:04:29 10.10.1.1 %ASA-6-604103: DHCP daemon interface BYOD: address granted 0150.ccf8.20ad.fb (10.12.92.231) Nov 7 09:05:18 10.10.1.1 %ASA-6-604103: DHCP daemon interface BYOD: address granted 0114.5a05.dc9f.ab (10.12.92.230) Nov 7 09:05:46 10.10.1.1 %ASA-6-604103: DHCP daemon interface Mobile: address granted 0160.21c0.1bb5.20 (10.12.90.238) Nov 7 09:05:53 10.10.1.1 %ASA-6-604103: DHCP daemon interface BYOD: address granted 0194.350a.1966.90 (10.12.92.243) Nov 7 09:06:17 10.10.1.1 %ASA-6-604103: DHCP daemon interface Mobile: address granted 0160.21c0.1bb5.20 (10.12.90.238) |
Sessions initiated from an IP Address
ASA events 302013 “Built {inbound|outbound} TCP connection”, 302015 “Built {inbound|outbound} UDP connection” and 302020 “Built {inbound|outbound} ICMP connection”. Usage of “grep -E” for a regular expression.
1 |
cat 2013/11/* | grep -E "ASA-6-302013|ASA-6-302015|ASA-6-302020" | grep 10.49.32.75 |
Of course, this works similarly for IPv6 addresses:
1 |
cat 2013/11/* | grep -E "ASA-6-302013|ASA-6-302015|ASA-6-302020" | grep 2001:db8::232:1879:3c18:afa2:82cd |
Configuration Commands
All configuration commands share at least the keyword “executed”:
1 |
cat 2013/11/* | grep executed |
Sample output:
1 2 3 4 5 6 |
Nov 5 09:54:31 10.10.1.1 %ASA-5-111008: User 'Admin-JoWeber' executed the 'enable' command. Nov 5 09:54:47 10.10.1.1 %ASA-7-111009: User 'Admin-JoWeber' executed cmd: show ipv6 traffic Nov 5 10:03:29 10.10.1.1 %ASA-7-111009: User 'Admin-JoWeber' executed cmd: show vpn-sessiondb summary Nov 5 10:03:29 10.10.1.1 %ASA-7-111009: User 'Admin-JoWeber' executed cmd: show vpn-sessiondb detail full anyconnect Nov 5 10:03:29 10.10.1.1 %ASA-7-111009: User 'Admin-JoWeber' executed cmd: show vpn-sessiondb detail full webvpn Nov 5 10:03:29 10.10.1.1 %ASA-7-111009: User 'Admin-JoWeber' executed cmd: show vpn-sessiondb detail full ra-ikev1-ipsec |
do you have any idea if i want use grep for source ip and destination ip destination port ???/
Yes, you can simply use “grep” a few times. The destination IP and port are noted with a slash: IP/port, e.g.:
192.168.1.110/80
That is, if you want to search for sessions from source IP 10.49.16.78 and destination IP 134.170.71.87 and destination port 443, the command would look like this:
cat *.log | grep -E “ASA-6-302013|ASA-6-302015|ASA-6-302020” | grep 10.49.16.78 | grep 134.170.71.87/443