Need a Script to Format PIX/ASA log into CSV

Question

I'm working a project to parse various on a server into csv. Does anyone have a good perl script or gawk statement that can parse a standard PIX/ASA log into CSV...

Thanks.

Answer 1

I helped write an in-house parse for PIX/ASA logs which I can't share. We wanted to have source and destination information for all traffic related messages, for instance. We ended up making a module that parsed each message code individually. Another hurdle is that some information like protocol names and name declarations show up as the alias, not number or IP in the logs. The CPAN module PIX::Walker can help resolve those issues.

If all you want is severity, code and message you can use:

#!/usr/bin/perl

use strict;

if (-e $ARGV[0]) {
 open(INFILE,$ARGV[0]);
} else {
 die "Cannot open logfile $ARGV[0]\n";
}

foreach my $line (<INFILE>) {
 chomp $line;
 if (/^%(ASA|PIX)-(\d{1})-(\d{6}): (.*)/) {
  print "\"" . $1 . "\",\"" . $2 . "\",\"" . $3 . "\"\n";
 }
}

But if that's all you want I'd recommend using syslog-ng and mysql with a config like:

options {
        long_hostnames(off);
        sync(100);
        stats(43200);
        use_fqdn(no);
        keep_hostname(yes);
        owner (nglog);
};

source udpsource { udp(ip(0.0.0.0) port(514));};

parser asa {
 csv-parser(colunms("ASA_SEV", "ASA_CODE", "ASA_TXT")
 flags(escape-none)
 delimiters("-:")
 );
};

destination d_sql { 
  sql(type(mysql)
  host("logserver") username("syslog-ng") password("password")
  database("logs")
  table("ASAlogs")
  columns("datetime", "host", "severity", "code", "message")
  values("$R_DATE", "$HOST", "$ASA_SEV", "$ASA_CODE", "$ASA_TXT")
  indexes("datetime", "host", "severity", "code"));
};

log { source{udpsource};
    log {parser(asa); destination(d_sql)};
};

This way it's in a database that you can run reports from. You could also make a very simple PHP or Ruby on Rails web front end.