f



Cisco ASA logging

Hi,

I have my cisco ASA logging to a syslog server.  Is there a way for
the ASA to find resolve the websites that the users are visiting
(instead of IPs, actual DNS names)?  Also, is there a way for it to
track the user who is accessing it instead of the workstation and IP?
I do not want to use a proxy if the ASA can do this, and I do not want
to use ISA.  I might try Squid on a Linux box if the ASA cannot.

Thanks so much for any advice.

0
KDawg44 (132)
3/27/2007 4:07:31 PM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

8 Replies
729 Views

Similar Articles

[PageSpeed] 41

In article <1175011651.804430.20990@y66g2000hsf.googlegroups.com>,
KDawg44 <KDawg44@gmail.com> wrote:
>I have my cisco ASA logging to a syslog server.  Is there a way for
>the ASA to find resolve the websites that the users are visiting
>(instead of IPs, actual DNS names)?

A particularly bad website might have the same IP address as
an excellent website. You can't count on IP address to tell you
about websites.

I don't directly answer "No" because I'm not familiar enough
with the ASA and what kinds of things you might be able to get
out of its inspection engine.


>Also, is there a way for it to
>track the user who is accessing it instead of the workstation and IP?

If the user has to authenticate to the firewall before being permitted
through, then the username will be placed in the relevant log entries.
(Or at least that's how it was documented in PIX 6) But if you are not
using authentication of internal users, it wouldn't know the name to log.

>I do not want to use a proxy if the ASA can do this, and I do not want
>to use ISA.  I might try Squid on a Linux box if the ASA cannot.

Squid can be pretty useful.
0
roberson
3/27/2007 5:00:47 PM
On Mar 27, 12:00 pm, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1175011651.804430.20...@y66g2000hsf.googlegroups.com>,
>
> KDawg44 <KDaw...@gmail.com> wrote:
> >I have my cisco ASA logging to a syslog server.  Is there a way for
> >the ASA to find resolve the websites that the users are visiting
> >(instead of IPs, actual DNS names)?
>
> A particularly bad website might have the same IP address as
> an excellent website. You can't count on IP address to tell you
> about websites.
>
> I don't directly answer "No" because I'm not familiar enough
> with the ASA and what kinds of things you might be able to get
> out of its inspection engine.
>
> >Also, is there a way for it to
> >track the user who is accessing it instead of the workstation and IP?
>
> If the user has to authenticate to the firewall before being permitted
> through, then the username will be placed in the relevant log entries.
> (Or at least that's how it was documented in PIX 6) But if you are not
> using authentication of internal users, it wouldn't know the name to log.
>
> >I do not want to use a proxy if the ASA can do this, and I do not want
> >to use ISA.  I might try Squid on a Linux box if the ASA cannot.
>
> Squid can be pretty useful.

For instance, a syslog message from my ASA:

asa.domain.com	 notice  2007-03-29	13:41:44	Mar 29 2007 13:15:47
ASAName : %ASA-5-304001: IP_OF_HOST_PC  Accessed URL 69.147.114.210:/

What I would like is to have it say for IP_OF_HOST_PC state the
actually PC name in our DNS records (actually I would love the active
directory user name but that would probably be a stretch) and instead
of 69.147.114.210 I would like to see yahoo.com.

Is there a way to do this?

Thanks.

0
KDawg44
3/29/2007 5:46:11 PM
KDawg44 wrote:

> On Mar 27, 12:00 pm, rober...@hushmail.com (Walter Roberson) wrote:
>> In article <1175011651.804430.20...@y66g2000hsf.googlegroups.com>,
>>
>> KDawg44 <KDaw...@gmail.com> wrote:
>> >I have my cisco ASA logging to a syslog server.  Is there a way for
>> >the ASA to find resolve the websites that the users are visiting
>> >(instead of IPs, actual DNS names)?
>>
>> A particularly bad website might have the same IP address as
>> an excellent website. You can't count on IP address to tell you
>> about websites.
>>
>> I don't directly answer "No" because I'm not familiar enough
>> with the ASA and what kinds of things you might be able to get
>> out of its inspection engine.
>>
>> >Also, is there a way for it to
>> >track the user who is accessing it instead of the workstation and IP?
>>
>> If the user has to authenticate to the firewall before being permitted
>> through, then the username will be placed in the relevant log entries.
>> (Or at least that's how it was documented in PIX 6) But if you are not
>> using authentication of internal users, it wouldn't know the name to log.
>>
>> >I do not want to use a proxy if the ASA can do this, and I do not want
>> >to use ISA.  I might try Squid on a Linux box if the ASA cannot.
>>
>> Squid can be pretty useful.
> 
> For instance, a syslog message from my ASA:
> 
> asa.domain.com         notice  2007-03-29     13:41:44        Mar 29 2007 13:15:47
> ASAName : %ASA-5-304001: IP_OF_HOST_PC  Accessed URL 69.147.114.210:/
> 
> What I would like is to have it say for IP_OF_HOST_PC state the
> actually PC name in our DNS records (actually I would love the active
> directory user name but that would probably be a stretch) and instead
> of 69.147.114.210 I would like to see yahoo.com.
> 
> Is there a way to do this?
> 
> Thanks.

Converting IP to domain name in syslog entries is typically a funtion of the
syslog server, not the device generating the entries. It is also typically
turned off to avoid the performance hit and extra traffic generation doing
the reverse DNS lookups.

Have fun!
-- 
Vincent C Jones, Consultant           Expert advice and a helping hand
Networking Unlimited, Inc.            for those who want to manage and
Tenafly, NJ  Phone: 201 568-7810      control their networking destiny
http://www.networkingunlimited.com
0
Vincent
3/29/2007 6:46:44 PM
On Mar 29, 1:46 pm, Vincent C Jones <v.jo...@networkingunlimited.com>
wrote:
> KDawg44 wrote:
> > On Mar 27, 12:00 pm, rober...@hushmail.com (Walter Roberson) wrote:
> >> In article <1175011651.804430.20...@y66g2000hsf.googlegroups.com>,
>
> >> KDawg44 <KDaw...@gmail.com> wrote:
> >> >I have my cisco ASA logging to a syslog server.  Is there a way for
> >> >the ASA to find resolve the websites that the users are visiting
> >> >(instead of IPs, actual DNS names)?
>
> >> A particularly bad website might have the same IP address as
> >> an excellent website. You can't count on IP address to tell you
> >> about websites.
>
> >> I don't directly answer "No" because I'm not familiar enough
> >> with the ASA and what kinds of things you might be able to get
> >> out of its inspection engine.
>
> >> >Also, is there a way for it to
> >> >track the user who is accessing it instead of the workstation and IP?
>
> >> If the user has to authenticate to the firewall before being permitted
> >> through, then the username will be placed in the relevant log entries.
> >> (Or at least that's how it was documented in PIX 6) But if you are not
> >> using authentication of internal users, it wouldn't know the name to log.
>
> >> >I do not want to use a proxy if the ASA can do this, and I do not want
> >> >to use ISA.  I might try Squid on a Linux box if the ASA cannot.
>
> >> Squid can be pretty useful.
>
> > For instance, a syslog message from my ASA:
>
> > asa.domain.com         notice  2007-03-29     13:41:44        Mar 29 2007 13:15:47
> > ASAName : %ASA-5-304001: IP_OF_HOST_PC  Accessed URL 69.147.114.210:/
>
> > What I would like is to have it say for IP_OF_HOST_PC state the
> > actually PC name in our DNS records (actually I would love the active
> > directory user name but that would probably be a stretch) and instead
> > of 69.147.114.210 I would like to see yahoo.com.
>
> > Is there a way to do this?
>
> > Thanks.
>
> Converting IP to domain name in syslog entries is typically a funtion of the
> syslog server, not the device generating the entries. It is also typically
> turned off to avoid the performance hit and extra traffic generation doing
> the reverse DNS lookups.
>
> Have fun!
> --
> Vincent C Jones, Consultant           Expert advice and a helping hand
> Networking Unlimited, Inc.            for those who want to manage and
> Tenafly, NJ  Phone: 201 568-7810      control their networking destinyhttp://www.networkingunlimited.com


Thanks for the reply.  Makes sense.  I think I will see if I can turn
it on, then see how big of a hit I take.  If its too much, then ill
just have to turn it off.

THanks.

0
KDawg44
3/29/2007 6:52:02 PM
On Mar 29, 1:46 pm, Vincent C Jones <v.jo...@networkingunlimited.com>
wrote:
> KDawg44 wrote:
> > On Mar 27, 12:00 pm, rober...@hushmail.com (Walter Roberson) wrote:
> >> In article <1175011651.804430.20...@y66g2000hsf.googlegroups.com>,
>
> >> KDawg44 <KDaw...@gmail.com> wrote:
> >> >I have my cisco ASA logging to a syslog server.  Is there a way for
> >> >the ASA to find resolve the websites that the users are visiting
> >> >(instead of IPs, actual DNS names)?
>
> >> A particularly bad website might have the same IP address as
> >> an excellent website. You can't count on IP address to tell you
> >> about websites.
>
> >> I don't directly answer "No" because I'm not familiar enough
> >> with the ASA and what kinds of things you might be able to get
> >> out of its inspection engine.
>
> >> >Also, is there a way for it to
> >> >track the user who is accessing it instead of the workstation and IP?
>
> >> If the user has to authenticate to the firewall before being permitted
> >> through, then the username will be placed in the relevant log entries.
> >> (Or at least that's how it was documented in PIX 6) But if you are not
> >> using authentication of internal users, it wouldn't know the name to log.
>
> >> >I do not want to use a proxy if the ASA can do this, and I do not want
> >> >to use ISA.  I might try Squid on a Linux box if the ASA cannot.
>
> >> Squid can be pretty useful.
>
> > For instance, a syslog message from my ASA:
>
> > asa.domain.com         notice  2007-03-29     13:41:44        Mar 29 2007 13:15:47
> > ASAName : %ASA-5-304001: IP_OF_HOST_PC  Accessed URL 69.147.114.210:/
>
> > What I would like is to have it say for IP_OF_HOST_PC state the
> > actually PC name in our DNS records (actually I would love the active
> > directory user name but that would probably be a stretch) and instead
> > of 69.147.114.210 I would like to see yahoo.com.
>
> > Is there a way to do this?
>
> > Thanks.
>
> Converting IP to domain name in syslog entries is typically a funtion of the
> syslog server, not the device generating the entries. It is also typically
> turned off to avoid the performance hit and extra traffic generation doing
> the reverse DNS lookups.
>
> Have fun!
> --
> Vincent C Jones, Consultant           Expert advice and a helping hand
> Networking Unlimited, Inc.            for those who want to manage and
> Tenafly, NJ  Phone: 201 568-7810      control their networking destinyhttp://www.networkingunlimited.com

Do you know how to do that in syslog-ng?  I have

        dns_cache(yes);
        use_fqdn(yes);
        keep_hostname(yes);
        long_hostnames(on);
        use_dns(yes);

in the config and this looks up DNS for the host sending the message,
but doesn't do it within the syslog message itself.

0
KDawg44
3/29/2007 6:54:19 PM
In article <1175190371.239123.287640@o5g2000hsb.googlegroups.com>,
KDawg44 <KDawg44@gmail.com> wrote:

>For instance, a syslog message from my ASA:

>asa.domain.com	 notice  2007-03-29	13:41:44	Mar 29 2007 13:15:47
>ASAName : %ASA-5-304001: IP_OF_HOST_PC  Accessed URL 69.147.114.210:/

>What I would like is to have it say for IP_OF_HOST_PC state the
>actually PC name in our DNS records (actually I would love the active
>directory user name but that would probably be a stretch) and instead
>of 69.147.114.210 I would like to see yahoo.com.

>Is there a way to do this?

There is no way to get the PIX to reverse DNS the IP_OF_HOST_PC or
69.147.114.210 in that syslog message. Your syslog server is also not
going to be reverse DNS them because it is going to treat the entire
part from "Mar" onward as pure text that it should log literally.

I do not recall now whether IP_OF_HOST_PC is one of the fields that
the PIX would automatically pull back through 'name' translation.
You could give it a try. But I'm relatively sure that it won't
put the URL IP back through 'name' translation.

You could configure any Unix syslog server (and probably syslog-ng) to
pass the messages with that priority and that facility through a
filter, such as a little shell script or perl program that read through
the message text, found everything that looked like a dotted quad, and
ran a reverse DNS on it. Or you could just write a little program that
was able to read through the log file in the original format and do
that kind of reverse DNS.

*Any* post-processing at the syslog server (from the instant of
receiving the message onward) is not going to be able to *reliably*
turn the URL hostname into the domain name that the user asked for.
When I used to do this kind of work, I stumbled upon a stats page one
day that analyzed number of websites per IP; there were some places
with single IP addresses with over thirteen *thousand* different
hostnames associated.

When I used to do log security analysis, I did indeed find people going
out to IPs that housed both porn and scientific instrument sales sites
(i.e., perfectly clean material needed for our work) on exactly the
same IP.

That's why I say you can't do it in PIX 6.

In PIX 7, you might be able to provoke the PIX to spit out an
entirely different message for an entirely different reason that
happened to have the URL hostnames you were looking for. Root
around for something akin to "debug inspect http"; I don't promise
you'll find anything, but that's where I would start looking.
0
roberson
3/30/2007 5:19:45 AM
if you need the users to be included in the logs rather than their ip
addresses, the only way could be to have outbound auth for http
traffic so that the PIX/ASA captures the user who try to surf.

On Mar 30, 10:19 am, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1175190371.239123.287...@o5g2000hsb.googlegroups.com>,
>
> KDawg44 <KDaw...@gmail.com> wrote:
> >For instance, a syslog message from my ASA:
> >asa.domain.com       notice  2007-03-29     13:41:44        Mar 29 2007 13:15:47
> >ASAName : %ASA-5-304001: IP_OF_HOST_PC  Accessed URL 69.147.114.210:/
> >What I would like is to have it say for IP_OF_HOST_PC state the
> >actually PC name in our DNS records (actually I would love the active
> >directory user name but that would probably be a stretch) and instead
> >of 69.147.114.210 I would like to see yahoo.com.
> >Is there a way to do this?
>
> There is no way to get the PIX to reverse DNS the IP_OF_HOST_PC or
> 69.147.114.210 in that syslog message. Your syslog server is also not
> going to be reverse DNS them because it is going to treat the entire
> part from "Mar" onward as pure text that it should log literally.
>
> I do not recall now whether IP_OF_HOST_PC is one of the fields that
> the PIX would automatically pull back through 'name' translation.
> You could give it a try. But I'm relatively sure that it won't
> put the URL IP back through 'name' translation.
>
> You could configure any Unix syslog server (and probably syslog-ng) to
> pass the messages with that priority and that facility through a
> filter, such as a little shell script or perl program that read through
> the message text, found everything that looked like a dotted quad, and
> ran a reverse DNS on it. Or you could just write a little program that
> was able to read through the log file in the original format and do
> that kind of reverse DNS.
>
> *Any* post-processing at the syslog server (from the instant of
> receiving the message onward) is not going to be able to *reliably*
> turn the URL hostname into the domain name that the user asked for.
> When I used to do this kind of work, I stumbled upon a stats page one
> day that analyzed number of websites per IP; there were some places
> with single IP addresses with over thirteen *thousand* different
> hostnames associated.
>
> When I used to do log security analysis, I did indeed find people going
> out to IPs that housed both porn and scientific instrument sales sites
> (i.e., perfectly clean material needed for our work) on exactly the
> same IP.
>
> That's why I say you can't do it in PIX 6.
>
> In PIX 7, you might be able to provoke the PIX to spit out an
> entirely different message for an entirely different reason that
> happened to have the URL hostnames you were looking for. Root
> around for something akin to "debug inspect http"; I don't promise
> you'll find anything, but that's where I would start looking.


0
ciscosec
3/30/2007 12:47:30 PM
On Mar 30, 7:47 am, "ciscosec" <reachke...@gmail.com> wrote:
> if you need the users to be included in the logs rather than their ip
> addresses, the only way could be to have outbound auth for http
> traffic so that the PIX/ASA captures the user who try to surf.
>
> On Mar 30, 10:19 am, rober...@hushmail.com (Walter Roberson) wrote:
>
> > In article <1175190371.239123.287...@o5g2000hsb.googlegroups.com>,
>
> > KDawg44 <KDaw...@gmail.com> wrote:
> > >For instance, a syslog message from my ASA:
> > >asa.domain.com       notice  2007-03-29     13:41:44        Mar 29 2007 13:15:47
> > >ASAName : %ASA-5-304001: IP_OF_HOST_PC  Accessed URL 69.147.114.210:/
> > >What I would like is to have it say for IP_OF_HOST_PC state the
> > >actually PC name in our DNS records (actually I would love the active
> > >directory user name but that would probably be a stretch) and instead
> > >of 69.147.114.210 I would like to see yahoo.com.
> > >Is there a way to do this?
>
> > There is no way to get the PIX to reverse DNS the IP_OF_HOST_PC or
> > 69.147.114.210 in that syslog message. Your syslog server is also not
> > going to be reverse DNS them because it is going to treat the entire
> > part from "Mar" onward as pure text that it should log literally.
>
> > I do not recall now whether IP_OF_HOST_PC is one of the fields that
> > the PIX would automatically pull back through 'name' translation.
> > You could give it a try. But I'm relatively sure that it won't
> > put the URL IP back through 'name' translation.
>
> > You could configure any Unix syslog server (and probably syslog-ng) to
> > pass the messages with that priority and that facility through a
> > filter, such as a little shell script or perl program that read through
> > the message text, found everything that looked like a dotted quad, and
> > ran a reverse DNS on it. Or you could just write a little program that
> > was able to read through the log file in the original format and do
> > that kind of reverse DNS.
>
> > *Any* post-processing at the syslog server (from the instant of
> > receiving the message onward) is not going to be able to *reliably*
> > turn the URL hostname into the domain name that the user asked for.
> > When I used to do this kind of work, I stumbled upon a stats page one
> > day that analyzed number of websites per IP; there were some places
> > with single IP addresses with over thirteen *thousand* different
> > hostnames associated.
>
> > When I used to do log security analysis, I did indeed find people going
> > out to IPs that housed both porn and scientific instrument sales sites
> > (i.e., perfectly clean material needed for our work) on exactly the
> > same IP.
>
> > That's why I say you can't do it in PIX 6.
>
> > In PIX 7, you might be able to provoke the PIX to spit out an
> > entirely different message for an entirely different reason that
> > happened to have the URL hostnames you were looking for. Root
> > around for something akin to "debug inspect http"; I don't promise
> > you'll find anything, but that's where I would start looking.

Thanks so much for the advice.  I appreciate it greatly.

0
KDawg44
3/30/2007 2:04:13 PM
Reply: