I'm working a project to parse various on a server into csv. Does anyone have a good perl script or gawk statement that can parse a standard PIX/ASA log into CSV...
Thanks.
Asked
Active
Viewed 1,737 times
1
-
Post a sample PIX/ASA log, and somebody here may well write you the few lines of Perl it would take to convert it to CSV. – Narveson Dec 14 '10 at 21:34
-
%PIX-7-710001: TCP access requested from 192.168.2.10/19067 to outside:192.168.2.14/ssh %PIX-7-710005: UDP request discarded from 192.168.1.2/137 to inside:192.168.1.255/netbios-ns %PIX-6-315011: SSH session from 192.168.2.10 on interface outside for user "roo " disconnected by SSH server, reason: "TCP connection closed" (0x03) %PIX-6-604103: DHCP daemon interface inside: address granted 000c.29e4.ebc3 (12.168.1.3) – deFonza Dec 20 '10 at 15:54
-
%PIX-6-605004: Login denied from 192.168.2.10/13269 to outside:192.168.2.14/ssh for user "root" %PIX-3-305006: portmap translation creation failed for tcp src inside:192.168.1.2/2893 dst outside:192.168.2.99/3128 %PIX-3-201008: The PIX is disallowing new connections. %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.2.1/137 dst outside:192.168.2.14/137 – deFonza Dec 20 '10 at 15:56
-
What sort of detail do you want for the lines? You can parse the error code from the start of the string, then everything after it as a payload. Or, you can try to break the string down based on the error code type, which is not as easy because the string format varies depending on the error. – the Tin Man Jan 07 '11 at 21:34
1 Answers
1
I helped write an in-house parse for PIX/ASA logs which I can't share. We wanted to have source and destination information for all traffic related messages, for instance. We ended up making a module that parsed each message code individually. Another hurdle is that some information like protocol names and name declarations show up as the alias, not number or IP in the logs. The CPAN module PIX::Walker can help resolve those issues.
If all you want is severity, code and message you can use:
#!/usr/bin/perl
use strict;
if (-e $ARGV[0]) {
open(INFILE,$ARGV[0]);
} else {
die "Cannot open logfile $ARGV[0]\n";
}
foreach my $line (<INFILE>) {
chomp $line;
if (/^%(ASA|PIX)-(\d{1})-(\d{6}): (.*)/) {
print "\"" . $1 . "\",\"" . $2 . "\",\"" . $3 . "\"\n";
}
}
But if that's all you want I'd recommend using syslog-ng and mysql with a config like:
options {
long_hostnames(off);
sync(100);
stats(43200);
use_fqdn(no);
keep_hostname(yes);
owner (nglog);
};
source udpsource { udp(ip(0.0.0.0) port(514));};
parser asa {
csv-parser(colunms("ASA_SEV", "ASA_CODE", "ASA_TXT")
flags(escape-none)
delimiters("-:")
);
};
destination d_sql {
sql(type(mysql)
host("logserver") username("syslog-ng") password("password")
database("logs")
table("ASAlogs")
columns("datetime", "host", "severity", "code", "message")
values("$R_DATE", "$HOST", "$ASA_SEV", "$ASA_CODE", "$ASA_TXT")
indexes("datetime", "host", "severity", "code"));
};
log { source{udpsource};
log {parser(asa); destination(d_sql)};
};
This way it's in a database that you can run reports from. You could also make a very simple PHP or Ruby on Rails web front end.
ElectricWeasel
- 107
- 7