Grep Commands for Cisco ASA Syslog Messages

In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.

In my syslog server, every firewall logs into its own folder which is subdivided with folders for every year and month (see here). Inside this month-folder, a new file is created for every day. That is, when parsing through all days of a month, the “cat” command looks like  cat 2013/01/*  while it looks like  cat 2012/*/*  when parsing through the whole year.

Beside of “grep” for filtering the shown values, I am using also “grep -v” to exclude certain lines.

IPsec VPNs (RA and S2S)

The basic syslog message for VPNs is “713120: IKE Phase 2 has completed successfully.” That is, a list with all VPN-Client users that were logged in at a certain time is shown by the following grep. It also includes the names of the VPN groups:

Similar, a concrete username can be requested:

Example output:

Or, users based/filtered on a VPN group (connection profile), with a new line for every login:

Or, a list with all users that were logged in, but only a list of the VPN users (without each login time). This is done via “sort at the position of the name” and then “uniq entries for the position of the name”:

 

For site-to-site VPNs, all events without the “Username” are relevant (grep -v):

 

DHCPv4 Server IPv4 Address Granted

To show the MAC-IPv4 address bindings:

Sample output, which also shows the interface:

 

Sessions initiated from an IP Address

ASA events 302013 “Built {inbound|outbound} TCP connection”, 302015 “Built {inbound|outbound} UDP connection” and 302020 “Built {inbound|outbound} ICMP connection”. Usage of “grep -E” for a regular expression.

Of course, this works similar for IPv6 addresses:

 

Configuration Commands

All configuration commands share at least the keyword “executed”:

Sample output:

 

Further Reading

2 thoughts on “Grep Commands for Cisco ASA Syslog Messages

  1. do you have any idea if i want use grep for source ip and destination ip destination port ???/

    1. Yes, you can simply use “grep” a few times. The destination IP and port are noted with a slash: IP/port, e.g.:
      192.168.1.110/80

      That is, if you want to search for sessions from source IP 10.49.16.78 and destination IP 134.170.71.87 and destination port 443, the command would look like this:
      cat *.log | grep -E “ASA-6-302013|ASA-6-302015|ASA-6-302020” | grep 10.49.16.78 | grep 134.170.71.87/443

Leave a Reply

Your email address will not be published. Required fields are marked *