Analyse log messages of the firewall

For the following examples to use you will need unix (awk, grep, sort, uniq,…) commands.

TASK1. Filter to the Dual ISP feature’s syslog messages from pix_log.txt file that is a log file for a day.

Solution:
Log file name: pix_log.txt

1. Collect Dual ISP feature’s syslog messages from Cisco UniverCD:

• 622001
• 327001 – 327003
• 422004 – 422006

2. Use grep to filter to those messages only:

grep “622001\|327001\|327002\|327003\|422004\|422005\|422006” pix_log.txt

TASK2. Which source host generates the highest amount of traffic?

Solution:
Log file name: SyslogCatchAll.txt

1. Log id: ASA-6-302014 –> this contains the bytes and src and dst IP addresses.

2. Create a file with the following content at the same directory where the log file is (Use vi or any text editor). File name must be `prg`.

# $11 – source IP # $13 – destination IP # $15 — time # $17 — bytes  NR == 1 {m=$1; p=0} $1 == m {p = p + $2} $1 != m {print p,” Total_amount: “,m; p=$2;m=$1} END {print p,”Total_amount: “,m}

3. Use the following unix commands:

grep 302014 SyslogCatchAll.txt | awk ‘{print $11, $17}’ | sort | awk -f prg | sort -n | awk ‘{print $3, $2, $1}’

TASK3: Which destination host generates the highest amount of traffic?

Solution:
Log file name: SyslogCatchAll.txt

1. Log id: ASA-6-302014 –> this contains the bytes and src and dst IP addresses.

2. Create a file with the following content at the same directory where the log file is (Use vi or any text editor). File name must be `prg`.

# $11 – source IP # $13 – destination IP # $15 — time # $17 — bytes  NR == 1 {m=$1; p=0} $1 == m {p = p + $2} $1 != m {print p,” Total_amount: “,m; p=$2;m=$1} END {print p,”Total_amount: “,m}

3. Use the following unix commands:

grep 302014 SyslogCatchAll.txt | awk ‘{print $13, $17}’ | sort | awk -f prg | sort -n | awk ‘{print $3, $2, $1}’

**********************************************************************

Get Linux-like environment for Windows from http://www.cygwin.com/