6 Replies Latest reply on Mar 26, 2015 3:24 PM by curtisi

    LEM not displaying all syslog messages/events

    tjreeddoc

      All,

       

      If a Cisco ASA Firewall records a Syslog message in its logs, that syslog message is sent to LEM. Correct?  While troubleshooting a network issue on a Cisco ASA, I looked at the ASA’s logs.  They were a LOT of the following entry

       

      :  …%ASA-4-410001: Dropped UDP DNS reply from …

       

       

       

      A change was made to correct this issue.  However, using nDepth to search LEM, I cannot find any events for that message. Strange thing is I do see a TON of other events from the same ASA.

       

       

       

      I would like to use LEM to help monitor this event by setting up a rule.  However, I cannot find the event.

       

       

       

      Any assistance would greatly be appreciated.


      T.J.

       

        • Re: LEM not displaying all syslog messages/events
          HolyGuacamole

          Every Syslog message need not result in a normalized LEM event. The connectors are responsible for normalization. Correlation is performed on these normalized events. Can you post the copy-paste the full line of the message (you can change IPs but not the format)?

            • Re: LEM not displaying all syslog messages/events
              tjreeddoc

              HolyGuacamole,

               

              Thanks for the reply.

               

              Following are a few of the MANY Syslog messages received on the ASAs and that I expected to find as LEM Events.  (Yes. the ip addresses and acl names have been changed.)  However, searching LEM, I was not able to find any Events.  I thought that was strange since two separate ASAs had the same syslog messages in their syslogs. Hence, I posted to Thwack.

               

               

               

              Feb 26 2015 11:36:00: %ASA-4-410001: Dropped UDP DNS reply from outside:1.1.1.1/53 to dmz:dnsfwd2/59149; packet length 650 bytes exceeds configured limit of 512 bytes

              Feb 26 2015 11:36:04: %ASA-4-410001: Dropped UDP DNS reply from outside:2.2.2./53 to dmz:dnsfwd2/59149; packet length 650 bytes exceeds configured limit of 512 bytes

              Feb 26 2015 11:36:12: %ASA-4-410001: Dropped UDP DNS reply from outside:1.1.1.1/53 to dmz:dnsfwd2/59415; packet length 530 bytes exceeds configured limit of 512 bytes

              Feb 26 2015 11:36:12: %ASA-4-410001: Dropped UDP DNS reply from outside:2.2.2.2/53 to dmz:dnsfwd2/59415; packet length 530 bytes exceeds configured limit of 512 bytes

               

              Please note:  updating the DNS inspection policy on the ASAs corrected the issue.  So, duplicating it would cause a company wide DNS issue.  However, I need to get a better handle on what Syslog messages will generate a LEM Event and which Syslog messages will not generate a LEM Event.

               

              Thank you,

               

              T.J.

                • Re: LEM not displaying all syslog messages/events
                  HolyGuacamole

                  hi T.J,

                  What you are asking for is documentation for the LEM ASA connector. Probably best to open a support ticket to see if there is something they can dig up.  For the specific messages you have posted, it is resulting in InternalNewtoolData events for me (i.e., the messages doesn't match the pattern it is looking for). As part of the same support ticket, you can provide the log sample and request for the connector to be updated.

                  • Re: LEM not displaying all syslog messages/events
                    curtisi

                    So, if you download the latest connectors, and extract the package, you'll find a LOT of XML files.

                     

                    Somewhere in there is the CiscoFirewalls.xml, and this is the file that gets copied to the LEM to be the IOS Connector for ASAs.

                     

                    (For reference, the revision I looked at for this post is "$Revision: #214 $" and was posted September 2, 2014)

                     

                    In that file, I did a CTRL + F (I use Notepad ++) and searched for 410001, and found this:

                     

                    <FastPattern _type="null" alertName="" description="PIX, NullAlert: 302022, 302023, 410001, 734003" matcher=".*" pattern="%(?:PIX|ASA|FWSM|ACE)-\d-(?:30202[23]|410001|734003):" version="2" version_type="int">

                      </FastPattern>

                     

                    So that's an alert that the connector recognizes, and then drops.  Compare to an event that the LEM displays:

                     

                    <FastPattern _type="null" alertName="UDPTrafficAudit" description="PIX, UDPTrafficAudit: -0-30201[56], -0-30202[45], -0-302031, -6-302015" matcher="(\d+) ([-\w.]+)[^%]*%(\w+-\d-(\d+)): +(.*)" pattern="%(?:PIX|ASA|FWSM|ACE)-\S+-3020(?:1[56]|2[45]|31):" version="1" version_type="int">

                      <FastField _type="null" defaultValue="$5" fieldName="EventInfo" type="1" type_type="int" version="1" version_type="int">

                      <FastFormatter _type="null" condition="(.*connection) .* to (?:[^: ,/]+:)?([^/ ]+)/\d+.*\(([^/]+)\)\s*" description="connection to (user)" format="$7 to &quot;$8&quot; by &quot;$9&quot;" matcherInput="$5" version="1" version_type="int">

                      </FastFormatter>

                      <FastFormatter _type="null" condition="(.*connection) .* to (?:[^: ,/]+:)?([^/ ]+)/\d+.*" description="connection to" format="$7 to &quot;$8&quot;" matcherInput="$5" version="1" version_type="int">

                      ~~~~~~~...truncated for my sanity...~~~~~~~~

                      </FastFormatter>

                      <FastFormatter _type="null" condition=".*connection \S+ for \S+ to ([^: ,/]+):[^/ ]+/\d+.*" description="connection ... for ... to (intf) (teardown)" format="$7" matcherInput="$5" version="1" version_type="int">

                      </FastFormatter>

                      </FastField>

                      </FastPattern>

                     

                    There's a lot more going on!

                     

                    You can follow the same sort of logic/process for any of the connectors.  I doubt that there will ever be time expended to document a guide of every conceivable event a system might generate and what the LEM will and won't show.  Have you seen the Cisco Syslog reference for ASA?  It's 600 pages long!  But you can do your own investigations.