I have my cisco ASA logging to a syslog server. Is there a way for the ASA to find resolve the websites that the users are visiting (instead of IPs, actual DNS names)? Also, is there a way for it to track the user who is accessing it instead of the workstation and IP? I do not want to use a proxy if the ASA can do this, and I do not want to use ISA. I might try Squid on a Linux box if the ASA cannot.
A particularly bad website might have the same IP address as an excellent website. You can't count on IP address to tell you about websites.
I don't directly answer "No" because I'm not familiar enough with the ASA and what kinds of things you might be able to get out of its inspection engine.
If the user has to authenticate to the firewall before being permitted through, then the username will be placed in the relevant log entries. (Or at least that's how it was documented in PIX 6) But if you are not using authentication of internal users, it wouldn't know the name to log.
What I would like is to have it say for IP_OF_HOST_PC state the actually PC name in our DNS records (actually I would love the active directory user name but that would probably be a stretch) and instead of 188.8.131.52 I would like to see yahoo.com.
Converting IP to domain name in syslog entries is typically a funtion of the syslog server, not the device generating the entries. It is also typically turned off to avoid the performance hit and extra traffic generation doing the reverse DNS lookups.
There is no way to get the PIX to reverse DNS the IP_OF_HOST_PC or
184.108.40.206 in that syslog message. Your syslog server is also not going to be reverse DNS them because it is going to treat the entire part from "Mar" onward as pure text that it should log literally.
I do not recall now whether IP_OF_HOST_PC is one of the fields that the PIX would automatically pull back through 'name' translation. You could give it a try. But I'm relatively sure that it won't put the URL IP back through 'name' translation.
You could configure any Unix syslog server (and probably syslog-ng) to pass the messages with that priority and that facility through a filter, such as a little shell script or perl program that read through the message text, found everything that looked like a dotted quad, and ran a reverse DNS on it. Or you could just write a little program that was able to read through the log file in the original format and do that kind of reverse DNS.
*Any* post-processing at the syslog server (from the instant of receiving the message onward) is not going to be able to *reliably* turn the URL hostname into the domain name that the user asked for. When I used to do this kind of work, I stumbled upon a stats page one day that analyzed number of websites per IP; there were some places with single IP addresses with over thirteen *thousand* different hostnames associated.
When I used to do log security analysis, I did indeed find people going out to IPs that housed both p*rn and scientific instrument sales sites (i.e., perfectly clean material needed for our work) on exactly the same IP.
That's why I say you can't do it in PIX 6.
In PIX 7, you might be able to provoke the PIX to spit out an entirely different message for an entirely different reason that happened to have the URL hostnames you were looking for. Root around for something akin to "debug inspect http"; I don't promise you'll find anything, but that's where I would start looking.