Cisco ASA logging

A particularly bad website might have the same IP address as an excellent website. You can't count on IP address to tell you about websites.

I don't directly answer "No" because I'm not familiar enough with the ASA and what kinds of things you might be able to get out of its inspection engine.

If the user has to authenticate to the firewall before being permitted through, then the username will be placed in the relevant log entries. (Or at least that's how it was documented in PIX 6) But if you are not using authentication of internal users, it wouldn't know the name to log.

Squid can be pretty useful.

For instance, a syslog message from my ASA:

asa.domain.com notice 2007-03-29 13:41:44 Mar 29 2007 13:15:47 ASAName : %ASA-5-304001: IP_OF_HOST_PC Accessed URL 69.147.114.210:/

What I would like is to have it say for IP_OF_HOST_PC state the actually PC name in our DNS records (actually I would love the active directory user name but that would probably be a stretch) and instead of 69.147.114.210 I would like to see yahoo.com.

Is there a way to do this?

Thanks.

Converting IP to domain name in syslog entries is typically a funtion of the syslog server, not the device generating the entries. It is also typically turned off to avoid the performance hit and extra traffic generation doing the reverse DNS lookups.

Have fun!

destiny

Thanks for the reply. Makes sense. I think I will see if I can turn it on, then see how big of a hit I take. If its too much, then ill just have to turn it off.

THanks.

destiny

Do you know how to do that in syslog-ng? I have

dns_cache(yes); use_fqdn(yes); keep_hostname(yes); long_hostnames(on); use_dns(yes);

in the config and this looks up DNS for the host sending the message, but doesn't do it within the syslog message itself.

There is no way to get the PIX to reverse DNS the IP_OF_HOST_PC or

69.147.114.210 in that syslog message. Your syslog server is also not going to be reverse DNS them because it is going to treat the entire part from "Mar" onward as pure text that it should log literally.

I do not recall now whether IP_OF_HOST_PC is one of the fields that the PIX would automatically pull back through 'name' translation. You could give it a try. But I'm relatively sure that it won't put the URL IP back through 'name' translation.

You could configure any Unix syslog server (and probably syslog-ng) to pass the messages with that priority and that facility through a filter, such as a little shell script or perl program that read through the message text, found everything that looked like a dotted quad, and ran a reverse DNS on it. Or you could just write a little program that was able to read through the log file in the original format and do that kind of reverse DNS.

*Any* post-processing at the syslog server (from the instant of receiving the message onward) is not going to be able to *reliably* turn the URL hostname into the domain name that the user asked for. When I used to do this kind of work, I stumbled upon a stats page one day that analyzed number of websites per IP; there were some places with single IP addresses with over thirteen *thousand* different hostnames associated.

When I used to do log security analysis, I did indeed find people going out to IPs that housed both p*rn and scientific instrument sales sites (i.e., perfectly clean material needed for our work) on exactly the same IP.

That's why I say you can't do it in PIX 6.

In PIX 7, you might be able to provoke the PIX to spit out an entirely different message for an entirely different reason that happened to have the URL hostnames you were looking for. Root around for something akin to "debug inspect http"; I don't promise you'll find anything, but that's where I would start looking.

Thanks so much for the advice. I appreciate it greatly.