This page provides instructions on how to setup the Kiwi Syslog server in order to generate logs compatible with the Firegen Log Analyzer
Download the Kiwi Syslog server. Kiwi is currently (Dec 2017) available as a freeware for up to 5 devices as well as a registered version (with some advanced features like logging to a database or compressing the logs for archiving purposes). These instructions work with Kiwi Syslog versions 7.x and 8.x. The screenshots are for Kiwi Syslog version 7.2.27 but for 8.x they are quite similar.
Install the Kiwi Syslog server software. This will create a Kiwi Syslog Daemon on the desktop.
Open the Kiwi Syslog Daemon application. You will get to a screen that looks like this:
From the File menu, select Setup (or Properties for older versions of Kiwi) to get to the Setup screen:
In the left panel select the Log to file action:
To configure Kiwi to create a new log every day using a yyyy-mm-dd naming convention follow these steps:
– In the Path and file name of log file box enter the location where you want to store the log (you may leave the default C:\Program Files\Syslogd\Logs\) followed by the log prefix you want to use, for example syslog, a dash (-) then click on “Insert AutoSplit value” and select Date, ISO Date (YYYY-MM-DD) and then add the log extension (i.e. .log). If using the example here, the Setup window should look like this:
The black Example of actual path and file name contains the log that will be created (C:\Program Files\Syslogd\Logs\syslog-2017-05-23.log). You may actually copy this path and log name to use it when you configure the Firegen Log Host profile.
Leave the log file format as Kiwi format ISO yyyy-mm-dd (Tab delimited).
Click on Apply and then on Test to have Kiwi write a sample log entry in the newly created log. Open the log in a text editor to confirm that there are log entries there.
Before trying to analyze the logs with Firegen make sure there are entries from the Cisco ASA firewall in the newly created log. If you have a fairly active firewall there should be entries there in a matter of seconds. If the Cisco ASA firewall is not configured to log to the syslog server follow the steps described in FAQ No. 12. Once you confirm that there are log entries from the ASA firewall (log entries containing the %ASA keyword) you can proceed to the Firegen configuration. One common issue in analyzing logs that contain a timestamp from both the syslog server and the ASA firewall is a potential time discrepancy between the syslog server and the ASA firewall. Firegen will give priority to the Pix timestamp. For example:
2017-05-03 22:00:03 Local4.Info 192.168.103.27 May 03 2017 23:47:22: %ASA-6-302015: Built outbound UDP connection 80420 for outside:18.104.22.168/53 (22.214.171.124/53) to inside:192.168.103.28/4288 (126.96.36.199/4288)
This log entry contains the Kiwi timestamp 2017-05-03 22:00:03 and the ASA timestamp May 03 2017 23:47:22. As one can see, there is a difference between the times: Kiwi shows 10:00:03 PM while Pix has 11:47:22 PM. This happens because the ASA time is not set properly or is using a different timezone. If you would want to analyze the log entries between 9:00:00 PM and 10:30:00 PM Firegen will skip this line as it will use the ASA timestamp (and that’s beyond the analysis interval – 11:47 PM). Just to avoid this type of mix-ups, please make sure that the times are synchronized between the firewall and the syslog server.
To configure Firegen to analyze the new logs, use the instructions provided on the FAQs. As Sample log for the Log Host Profile use the Example of actual path and file name mentioned above.