Your basic ITPro blog... What's going on at work, what I'm interested in.

Tuesday, July 1, 2008

Analyzing Syslogs

I have no idea how to do this! And, things are getting to the point where I think I need to learn.

We have a Cisco ASA5510. We use this box with our Internet connection and use the 'inside', 'outside', and 'dmz' interfaces, each doing pretty much what you would expect.

I have What's Up Gold monitoring this device, primarily for bandwidth utilization on the 'outside' interface. "How much of our pipe are we using for inbound and outbound traffic?" This question, I can answer. But, there are times when I ask, "What type of traffic (and to/from which client) is using all this bandwidth?"

Something was chewing up ALL of my outbound pipe for most of the day yesterday. The frustrating thing is that, at this time, I do not know how to find out what was being stuffed down that pipe, and by whom. I am assuming (guessing?) that the answer can be found in the syslogs. But, how to read them??

WupTmp_D87B5E59-AE2F-4325-BB26-19CFD5B89ABF[1]
Yesterday's Chart

I have been poking around in the Cisco ASDM tool, seeing if it can help me. The 'Home' screen shows the syslog messages race by. While this is a bit mesmerizing, it doesn't really help me know what's going on. Then there is the Log Viewer in the ASDM.

image
Cisco ASDM 5.2 Log Viewer

This tool adds the ability to see the Details, and Explanation, and give Recommended Actions (if any) for each log entry. Pretty cool, except I still have no idea what I am looking at or what I am looking for. What I need is a tool that will eat these logs and spit out pretty charts and graphs showing utilization by source, destination, and protocol/service/datatype/etc.

While doing some research yesterday, looking for a free tool that might start me on this path, I came across Splunk. The glossies led me to believe that this tool may do some of what I am looking for. So, I downloaded the free version and put it on my laptop. It was easy to configure the datasource (my ASA5510) and it was just as easy to set my 5510 to see my laptop at its syslog destination. So, I have Splunk getting my logs from my 5510. YEAH!

Now what?!

Now I have to learn Splunk to see if it will in fact do what I want/need.

If anyone knows of any other tools that might help, I would love to hear about them!

5 comments:

Anonymous said...

Splunk will definitely get you what you're looking for, I use it to track jvm performance trends in my Java logs but it will work on any data source. Its just a question of extracting the fields and reporting on them. Don't hesitate to contact support at splunk com they are usually very useful.

Anonymous said...

Have you tried pt360 Tool Suite from PacketTrap Networks? Easy to use.

James said...

Hi there, did you have any luck with Splunk? I've got a very similar setup and similarly would like to know who eats up all the bandwidth at our office. James.

Derek Mangrum said...

Unfortunately, I haven't had the opportunity to devote time to this yet. I am hoping to be able to do so next week.

I will definitely post an update on this project.

Derek

James said...

I look forward to reading about your findings! I'm not having much luck, although I have found out that ASDM 6.0 has Top 10 Source/Destination information so trying to get my ISP to upgrade the software to that (it's a managed router, so beyond my control). See the bottom-right of this screenshot:

http://bp2.blogger.com/_ohceiKUYGG8/RnpK7_43vyI/AAAAAAAAAb0/7nYsAL37AN8/s1600-h/New+Picture+(1).jpg

I don't know if it is possible to upgrade your router, but definitely looks handy.

Additional Info

My photo
email: support (AT) mangrumtech (DOT) com
mobile: 480-270-4332