Some syslog event IDs related to AnyConnect on cisco ASA

302013 - built inbound connection

302014 - teardown TCP connection

725012 - Device chooses cipher for the SSL session with peer interface

725008 - ssl client propose cipher

725007 - teardown new ssl connection / terminated

725001 - starting ssl handsharek

725002 - ssl handsake completed

725003 - request to resume

113005 - AAA user authentication rejected

See:

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Also:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776913

716001 - anyconnect when user logs on

716002 - anyconnect when user logs off

Each connection that passes through the ASA is 9 syslogs so that will be a lot of logs

Old TAC sec pod cast

https://community.cisco.com/t5/security-knowledge-base/tac-security-podcast-show-information-and-episode-listing/ta-p/3126414

General syslog tips

Text zip's up well so you can zip before sending

Knowing the time frame of the issue helps any source / destination IPs

Notepad++ / sublime are good for working with big files

For really big files we really want a linux box

For windows users you can run a VM as well or install cygwin

User grep to look for sev1 events

grep "ASA-1-" ASASYSLOG.txt

Looks for sev 6 and pipe to head 

grep "ASA-6" ASAlogs.txt | head -n 3

-v can be used to remove items from the log

grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | head -n 3

We can build up our command adding more -v items

grep "ASA-6" ASAlogs.txt | grep -v "ASA-6-302011" | grep -v "ASA-6-302015" | grep -v "ASA-6-305011" | head -n 3

Other linux CLI tools that are very useful

count / sed / awk / uniq / sort / bc

To remove all the charactors on the line leading up to "Mar 28",  use the sed program to find and replace that text with "nothing":

cat ASAlogs.txt | sed 's/^.*Mar 28/Mar 28/g' | head -n 4

cut can be used to display something specific from each line:

grep "ASA-6-305011" ASAlogs.txt  | cut -f 13 -d ' '

<166>Mar 28 2013 08:22:50: %ASA-6-305011: Built dynamic TCP translation from inside:10.10.103.38/63894 to outside:192.168.124.149/63894

becomes

outside:192.168.124.149/61128

Now lets say you wanted to get rid of the 'outside' text at the start of each line. Use sed to replace that text with nothing:

grep "ASA-6-305011" ASAlogs.txt  | cut -f 13 -d ' ' | sed 's/outside://g'

When connection is torn down (teardown event) there is a byte count included

You could look for the initiator and the byte count

IP and how many bytes transfer

Then sort that based on byte count

This would give you talker

Sort by IP addresses 

Use bc to sum up all the ip and sort on byte counts and see which IP was the top talker over all

You could also work on top number of connections. Look for usernames instead of IP's etc. A ddos may make a lot of connections but small amount of data transfered 

You could look at denied connections

setup netflow on cisco 9300 stack

Setup netflow

x.x.x.x = your netflow collector eg solarwinds etc.

flow exporter NETFLOW-EXP-TO-ORION
 destination x.x.x.x
 source vlan1
 transport udp 2055


Setup what you want to record

flow record NETFLOW-RECORD-IN
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 match flow direction
 collect interface output
 collect counter bytes long
 collect counter packets long

flow record NETFLOW-RECORD-OUT
 match ipv4 tos
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface output
 match flow direction
 collect interface input
 collect counter bytes long
 collect counter packets long

Setup the monitors


flow monitor NETFLOW-MON-OUT
 exporter NETFLOW-EXP-TO-ORION
 cache timeout inactive 10
 cache timeout active 60
 record NETFLOW-RECORD-OUT

flow monitor NETFLOW-MON-IN
 exporter NETFLOW-EXP-TO-ORION
 cache timeout inactive 10
 cache timeout active 60
 record NETFLOW-RECORD-IN

Enable the monitors on the interfaces
Enable under the  interfaces you want to collect netflow data from usually these will be uplinks, links to other sites etc





interface GigabitEthernet2/0/36
 ip flow monitor NETFLOW-MON-IN input
 ip flow monitor NETFLOW-MON-OUT output



Don't forget to write your config.
You might need to check firewall rules between the two hosts.
Allow a few minutes for the data to populate in the collector.

how to get email alerts from cisco ASA

logging enable
logging timestamp
logging standby
logging buffer-size 10000
logging buffered warnings
logging trap debugging
logging mail critical
logging from-address asa@domain.com
logging recipient-address email_address@domain.com level errors
logging facility 23
logging device-id hostname
logging host inside x.x.x.x

Yes, syslog message# 104001, 104002
There are a few more within the 104xxx range in regards to failover that you might be interested:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768649
Hope that helps.

722022 = Anyconnect connect
722023 = Anyconnect disconnect

creating a check for a device with SNMP and Nagios

I'm assuming your monitoring software is based on nagios. 

First stop is to check if a check already exists in the monitoring system.

If not check http://exchange.nagios.org/. Download and read the script. Understand it and test it.

If you can't find one, you have two options. Create one from scratch or use check_snmp.

To use check_snmp you need to know the correct OIDs. Contact the vendor of the device or check the documentation sometimes they have all of this in one document. Otherwise use snmpwalk

snmpwalk -v2c -c communityname 192.168.1.10. You'll have to go through all the OID's, find the value you are interested in monitoring. You can setup check snmp with the OID.

 snmpwalk -v2c -c  communityname 192.168.1.10 1.3.6.1.4.1.20632.5.14

SNMPv2-SMI::enterprises.20632.5.14 = STRING: "42.0 degrees C"

That OID "1.3.6.1.4.1.20632.5.14" is for CPU temp.

Lets try it with check snmp

./check_snmp -H 10.7.11.219 -C cudaSNMP -o 1.3.6.1.4.1.20632.5.14

SNMP OK - "43.0 degrees C" |

So this check will return ok so long as the temp stays at 43. That's fine for static values, but for changing values its no good. You can use the -r switch

This means the check will be ok so long as its under 49 degrees

./check_snmp -H 10.7.11.219 -C cudaSNMP -o 1.3.6.1.4.1.20632.5.14 -r "4[0123456789]"

SNMP OK - "42.0 degrees C" |

If I changed it to 50 - 59, it would alert

./check_snmp -H 10.7.11.219 -C cudaSNMP -o 1.3.6.1.4.1.20632.5.14 -r "5[0123456789]"

SNMP CRITICAL - *"42.0 degrees C"* |

If you want to write a check from scratch its a good idea to look at some checks already on http://exchange.nagios.org/. You'll need to get all the OID's you need. You'll also have to figure out what each value means. This can be a lot of work, forcing certain situations (unplugging cables etc) and checking the values returned. This is why most people just use check_snmp with a simple ok / not ok check.

installing a new check into opsview

First check the opsview interface to see if the check is already installed.

If not check http://exchange.nagios.org/ or google search

Find a script that looks like it does the job with good ratings. Read the detail make sure there are no bugs affecting your software version / setup. If you can't find a script to do the job you will have to write one from scratch or use the default check_snmp script.

Open the script and get the OID's that they are using. Manual check them with snmpwalk, lets say my OID is "1.3.6.1.4.1.9.9.500.1.2.1.1.6"

snmpwalk -c public -v2c 192.168.0.1 1.3.6.1.4.1.9.9.500.1.2.1.1.6

Read the script see what the value that is returned means. If the script hasn't documented it, you have have to  get the vendors documentation or contact their support.

After testing with snmpwalk you can copy the script to the slave. You may have to "su - nagios" chown the script to nagios, chmod the script 755 and edit the !#/usr/bin/perl at the top of the script to the relevant path on your system.

Test the script by running it manually
./check_snmp_custom_check.pl -H 192.1680.1 -C public

If you are happy with the results you need to import the script into the master.

Copy the script to /usr/local/nagios/libexec
su / chown / chmod / edit #!
Go into the opsview web interface
Configuration -> Service checks
Click the Actions button -> create new service check

Fill in
Name
Description
Service group
Check period 24x7
You should be able to select the plugin check_snmp_custom_check.pl (if its not there try a reload)
Fill in the arguments "-H $HOSTADDRESS$ -C $SNMP_COMMUNITY$" view another check for help

Once complete reload opsview. Now try to add the check to a host (you may need another reload for it to appear).

Now the check should exist to be assigned to other hosts in the future.

snmpwalk for windows

http://sourceforge.net/projects/net-snmp/

snmpwalk -v 1 -c community-here 127.0.0.1

How to run a manual check from nagios slave

You may need to su to the nagios user to run some checks
sudo su - nagios

/usr/local/nagios/libexec/check_http -H servername.domain.ie -S -w 5 -c 10
/usr/local/nagios/libexec/check_http -I 192.168.1.50 -S -w 5 -c 10
/usr/local/nagios/libexec/check_http -H 192.168.1.50 -S -w 5 -c 10

more info here http://nagiosplugins.org/man/check_http