メインコンテンツまでスキップ
Sumo Logic Japanese

Cisco ASA のログ収集

Cisco ASA のログを収集するには、インストール済みコレクタと Syslog ソースを設定する必要があります。

Cisco ASA のログ収集

syslog サーバにログを送信するように ASA を設定します。ASA は、デフォルトでは UDP ポート 514 の syslog に送信しますが、プロトコルとポートは選択可能です。

ログ収集には、以下が必要です。

サンプル ログ

Tue Aug 15 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside:44.44.4.4/500 to inside:44.44.2.2/500 duration 0:02:02 bytes 1416

フィールド抽出ルール 

このフィールド抽出ルール (FER) は、全体のパース時間を削減するための例として提供されています。すべてのパース オペレーションが FER でサポートされているわけではありません。詳細については、「フィールド抽出ルールの作成」を参照してください。

extract "%[A-Z]{3}-(?<severity>\d)-(?<msg_code>\d{6}):(?<action>.+)$" nodrop 
| extract " duration (?<duration>[\d:]+) bytes (?<bytes>\d+)" nodrop 
| extract "(?<connection_count>\d+ in use, \d+ most used)" nodrop 
| extract "%[A-Z]{3}-\d-\d{6}:.+? for (?<src_interface>\S+):(?<src_host>[\S ]+)\/(?<src_port>\d+) .*?to (?<dest_interface>\S+):(?<dest_host>\S+)\/(?<dest_port>\d+)" nodrop
| extract "(?<action>Built .+?) (?:for |from )" nodrop 
| extract "Built \w+ (?<protocol>\w+) (?:translation|connection) " nodrop 
| extract " from (?<src_interface>\S+):(?<src_host>[\S ]+) to (?<dest_interface>\S+):(?<dest_host>\S+)(?:\s|$)" nodrop 
| extract " from (?<src_interface>\S+):(?<src_host>[\S ]+)/(?<src_port>\d+) to (?<dest_interface>\S+):(?<dest_host>\S+)/(?<dest_port>\d+)" nodrop 
| extract "(?<action>access-list) (?<acl_id>.+?) (?<access_decision>\w+) (?<protocol>\w+) (?<src_interface>\S+)/(?<src_host>[\S ]+)\((?<src_port>\d+)\) -[>]{0,1} (?<dest_interface>\S+)/(?<dest_host>\S+)\((?<dest_port>\d+)\) hit-cnt (?<hit_cnt>\d+) (?<hit_cnt_interval>.+?)(?: \[|$)" nodrop 
| extract "(?<action>access-list) (?<acl_id>.+?) (?<access_decision>\w+) (?<protocol>\w+) (?<src_interface>\S+)/(?<src_host>[\S ]+)\((?<src_port>\d+)\) -[>]{0,1} (?<dest_interface>\S+)/(?<dest_host>\S+)\((?<dest_port>\d+)\) hit-cnt (?<hit_cnt>\d+) \((?<hit_cnt_interval>.+?)\)" nodrop 
| extract "(?<action>Deny .+?) from (?<src_host>[\S ]+) to (?<dest_host>\S+) on interface (?<src_interface>\S+)(?:\s|$)"  nodrop 
| extract "(?<action>Deny .+?) src (?<src_interface>\S+):(?<src_host>[\S ]+) dst (?<dest_interface>\S+):(?<dest_host>\S+)(?:\s|$)" nodrop 
| extract "Deny (?<protocol>\w+) (?:reverse path|connection spoof|src )" nodrop 
| extract "(?<action>Deny inbound \(No xlate\))"  nodrop 
| extract "(?<action>Deny inbound \(No xlate\)) (?<protocol>\w+) src (?<src_interface>\S+):(?<src_host>[\S ]+) dst (?<dest_interface>\S+):(?<dest_host>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Deny inbound \(No xlate\)) (?<protocol>\w+) src (?<src_interface>\S+):(?<src_host>[\S ]+)\/(?<src_port>\d+) dst (?<dest_interface>\S+):(?<dest_host>\S+)\/(?<dest_port>\d+)" nodrop 
| extract " (?<protocol>\w+) (?<action>Connection denied by outbound list) (?<acl_id>.+?) src (?<src_host>[\S ]+) dest (?<dest_host>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Deny inbound) (?<protocol>\w+) from (?<src_host>[\S ]+)/(?<src_port>\d+) to (?<dest_host>\S+)/(?<dest_port>\d+)" nodrop 
| extract "(?<action>Deny inbound) (?<protocol>\w+) from (?<src_host>[\S ]+)/(?<src_port>\d+) to (?<dest_host>\S+)/(?<dest_port>\d+) on interface (?<src_interface>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Deny inbound) (?<protocol>\w+) src (?<src_interface>\S+):(?<src_host>[\S ]+)/(?<src_port>\d+) dst (?<dest_interface>\S+):(?<dest_host>\S+)/(?<dest_port>\d+)" nodrop 
| extract "(?<action>Deny IP) from (?<src_host>[\S ]+) to (?<dest_host>\S+)(?:,|\s|$)" nodrop 
| extract "(?<action>Dropping echo request) from (?<src_host>[\S ]+) to PAT address" nodrop 
| extract "(?<action>Deny inbound icmp) src (?<src_interface>\S+):(?<src_host>[\S ]+) dst (?<dest_interface>\S+):(?<dest_host>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Deny TCP \(no connection\)) from (?<src_host>[\S ]+)/(?<src_port>\d+) to (?<dest_host>\S+)/(?<dest_port>\d+) flags (?<flags>.+?) on interface (?<src_interface>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Deny IP spoof) from \((?<src_host>[\S ]+)\) to (?<dest_host>\S+) on interface (?<src_interface>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Deny IP due to Land Attack) from (?<src_host>[\S ]+) to (?<dest_host>\S+)(?:\s|$)" nodrop 
| extract "(?<action>ICMP packet type .+? denied by outbound list) (?<acl_id>.+?) src (?<src_host>[\S ]+) dest (?<dest_host>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Deny IP teardrop fragment .+?) from (?<src_host>[\S ]+) to (?<dest_host>\S+)(?:\s|$)" nodrop 
| extract "(?<action>Teardown) (?<protocol>TCP|UDP) connection \d+ for " nodrop 
| extract "%[A-Z]{3}-\d-\d{6}: (?<src_host>[\S ]+) (?<action>Accessed URL) (?<dest_host>[\d\.]+):(?<url>.+)$" nodrop
| extract "%[A-Z]{3}-\d-\d{6}: (?<user>.+?)@(?<src_host>[\S ]+) (?<action>Accessed URL) (?<dest_host>\S+):(?<url>.+)$" nodrop 
| extract "(?<action>\w+ local-host) (?<src_interface>\S+):(?<src_host>[\S ]+)$" nodrop 
| extract "(?<action>\w+ local-host) (?<src_interface>\S+):(?<src_host>[\S ]+) duration (?<duration>.+)$" nodrop 
| extract "%[A-Z]{3}-(?<severity>\d)-(?<msg_code>\d{6})[:]{0,1} IPS:(?<ips_num>\d+) (?<action>.+?) from (?<src_host>[\S ]+) to (?<dest_host>\S+) on interface (?<src_interface>\S+)(?:\s|$)" nodrop

 
  1.  
  • この記事は役に立ちましたか?