Hey NANOG!
My employer is deploying CIsco ASA firewalls to our clients
(specifically the 5505, 5510 for our smaller clients). We are having
problems finding a decent log viewer. Several products seem to mean
well, but they all fall short for various reasons. We primarily use
Check Point firewalls, and for those of you with that experience, you
know the SmartViewer Tracker is quite powerful. Is there anything
close to the flexibility and filtering capabilities of Check Point's
SmartView Tracker?
For now, I've been dumping the logs via syslog with TLS using
syslog-ng to our server, but that is mediocre at best with varying
degrees of reliability. The syslog-ng server then sends that to a
perl script to put that into a database. That allows us to run our
monthly reports, but that doesn't help us with live or historical log
parsing and filtering (see above, re: SmartView Tracker).
It sounds like you've already got a pretty good aggregation setup going,
here. I've had great luck with UDP Syslog from devices to a site-local log
aggregator that then ships off log streams to a central place over TCP (for
the WAN paths) and/or TLS/SSL.
It sounds like you may have something similar going here, though I'd be
curious to know where you've had this fall down reliability-wise.
We considered that, but didn't want to "burden" small customers with a
classic scenario of "ok well you have to have our other box in your
room" and have to deal with procurement, maintenance, upkeep,
monitoring, blah blah. Recent ASA code (8.3-ish, 8.4? i forget) had
syslog-tls built in and finally able to ship logs out across the
lowest security zone, which was quite a nice addition.
The break down is periodic log-reporting failures. After some
indeterminate time, the device seems to just "give up" and just not
send logs. Plus, it doesn't reconnect on a failure. I added a Nagios
check to monitor the state of things, so now I get notified in this
situation (or at least within a few minutes). When this does occur, I
ssh to the ASA and have to run the 'no logging enable' and then
'logging enable' to "jump start" it again. Sometime that's not even
enough and I have to remove the logging command for external syslog
and re-add it again.
It's very weird and quite spurious.
If a customer called to help us troubleshoot connection issues over
the past few days, there's no way to review the logs and figure out
what happened back then. Every CCIE we've talked to, and Cisco
themselves, seem to not care about firewall traffic logs or the
ability to parse and review them. We know about Cisco Security
Center, but that seems incapable of handling logs, etc. CS-MARS
would've been great, but that's overpriced and now discontinued
anyway. We'd hate to spend the time writing our own app if there's a
viable product already available (we're willing to pay a reasonable
price for one, too).
I don't know of any great commercial products, as I've only built homegrown
tools for various organizations. I'm curious though, what kinds of features
are you looking for? Searching log data? Alerting on events based on log
data?
Cheers,
jof
I'd like to fully search on an 'column', a la 'ladder logic' style.,
as well as have the data presented in an orderly well-defined fashion.
I know that sounded like the beginnings of "use XML!" but oh dear,
not XML, please. 
Poor syslog is just too flat and in a state of
general disarray. The bizarre arrangement of connection setup, NAT,
non-NAT, traffic destined to the device, originating from the device,
traffic routing across the to another zone, etc. ... it's very
nonsensical, verbose, and frankly maddening.
Best I can tell, the whole thing doesn't make any sense (and was a
bear to tease apart with regex).
I've gotten a few suggestions to check out Splunk, so I'll toss that
into the review pile and see how that works out. Thanks to the folks
who suggested that!