For those unaware, VMware Log Insight, is VMware’s syslog monitoring and alerting platform. It collects and automatically identifies structure in all types of machine-generated log data (application logs, network traces, configuration files, messages, performance data, system state dumps, etc.) to build a high performance index for performing analytics, so you can find pertinent information quickly.
With that being said, I do a lot of Log Insight use and am a big fan of the Content Packs that provide 3rd party integration. After showing this to clients for the last few months and having them rave about the dashboards and alerting in Log Insight, I decided to dedicate a post to configuring and using the Cisco ASA Content Pack for Log Insight.
The VMware Log Insight – Cisco ASA Content Pack provides new visibility, insight and alerting capabilities into firewall events, successful and denied connections, top source and destination dashboards for websites, bandwidth consumers, mail, chat, streaming, VPN connections and more. For a full overview of VMware Log Insight capabilities, check out the technical marketing material on the product site at https://www.vmware.com/products/vrealize-log-insight.html.
To configure your Cisco ASA for use with VMware Log Insight:
- Log into the Cisco ASA and enter configuration mode
Configure the logging host
Configure the logging trap level
Configure the logging facility level
Save the configuration
#logging host inside ip.of.log.insight
#logging trap informational
#logging facility 20
After configuring your ASA for use with Log Insight, you need to install the Cisco ASA Content Pack for Log Insight by clicking on the menu, which is the icon with three lines to the right of the username in the upper-right, then click Content Packs and then click on the Marketplace navigation on the upper-left of the screen as shown below. Find the Cisco ASA icon in the Log Insight Content Pack Marketplace and click it to install it.
After you’ve installed the Content Pack, log out of Log Insight and log back in. Navigate to the Content Pack Dashboards and click on the Cisco ASA Overview link.
The Cisco ASA Overview dashboard provides you with dashboards of All ASA Events over time with a histogram, a breakdown of events grouped by device, events by class and severity level, as well as, top destinations and sources. From here you can click on any graph and click Interactive Analytics to see a filtered view of the actual log events.
As you can see in the Interactive Analytics view of ASA events grouped by severity level, the Cisco ASA firewall is denying connection attempts for telnet to the outside interface of the firewall. The next thought is, “…geez, VMware, I wish I could easily setup an email alert for this filtered event on my Cisco ASA”. Well, I’m happy to add that WE CAN SETUP ALERTS IN LOG INSIGHT! YES!
Let’s take a look at how we setup a Log Insight alert for an event from our Cisco ASA.
To add an alert for Severity 3 events, go into the Interactive Analytics view for ASA events grouped by severity 3.
Click on Alerts, which is the red bell icon to the upper-right and then click on Create Alert from Query.
Fill in the New Alert form providing the name, description and recommendation, an email address or alias and then the criteria for the alert. You can match on any instance of an event, when an event is seen for the first time in the last x hours, or by how many occurrences happen in a given period and by group if desired. In any case, for this alert, I’d like to know anytime it’s more than one occurrence in five minutes.
Now that we’ve set an alert in Log Insight for our Cisco ASA, let’s take a look at some of the dashboards and information that the Content Pack provides visibility into.
Navigate to Denied Connections under the Cisco ASA Content Pack and you’re greeted by a dashboard of Top Denied Destinations, Top Denied Sources, Top Denied Protocol Groups and Top Denied Websites. Each of these can be drilled down into by right-clicking on a graph section and clicking Interactive Analytics to see the data. The Top Denied Sources is quite useful to determine where attacks are originating and can quickly provide you with a list of sources to take action on.
The Successful Connections Dashboard shows some really useful views of Top Accessed Destinations, Top Websites, a list of Latest Successful Connections and a graph of Reasons for successful TCP teardowns.
Besides looking to see that Facebook, Hulu or Youtube is probably the top accessed website from your firewall, the Latest Successful Connections is a great way to see if a new firewall rule or configuration change is working for clients accessing a new site or the like.
Clicking on the Traffic Overview dashboard reveals a fantastic histogram graph of bandwidth usage, which can be useful for forecasting and planning. The middle of the screen shows a graph of Top Connections With High Bandwidth Usage, to see who the big consumers are. Once again, you can drill down on any of those users to see what was being used. The user in this graph is my son’s Chromebook and I’m sure the bandwidth usage is from Youtube, no doubt. …was there any doubt? /grin
Lastly, the VPN Activity dashboard is great for analyzing past and for alerting on current VPN events. You can setup alerts for failed VPN connection attempts, which is always something to keep an eye on.
Wrapping it up, there’s quite a bit that VMware Log Insight can do for Cisco ASA users. The alerting capabilities for ASA events make Log Insight a great solution for environments where it’s deployed, as the Content Pack is free of charge, easily deployed and provides new visibility and “insights” into what’s happening on your ASA. …with or without you knowing. /grin