jnovack/asavpn.sec

## asavpn.sec
#############
# asavpn.sec
#  - Designed by jnovack@gmail.com (with the help of the simple-evcorr-users@lists.sourceforge.net)
#
# Design considations:
#  - The friendlynames.txt purpose is to generate the alerts with a user-supplied name.  In the example, 12.34.56.78 is more easily remembered as "Remote Site 1".  The alerts contain the friendly name.
#  - The file friendlynames.txt contains 1 entry per line in the form of "12.34.56.78=REMOTE SITE 1"
#  - I make heavy use of the SYSLOG levels in my emails so I can properly gauge my teams expected response time.
#  - The use of context= =($variable{"$1"}) ensure sec will only process the event if the hash entry exists. This is limited to your population of the friendlynames file. Easily ignore other IPs by not including them in friendlynames.txt
#
# References:
# http://sourceforge.net/mailarchive/forum.php?thread_name=CAB3_BpNtA-XCndsiJUg9BsMsYWN%2BSeWFMWpDfYMz%3DZKkJTW5Vg%40mail.gmail.com&forum_name=simple-evcorr-users
# http://sourceforge.net/mailarchive/forum.php?thread_name=CAB3_BpMxyi1%2BhK20P_8ctkK0csHgxYYNg89m0jaO0mKUavJthg%40mail.gmail.com&forum_name=simple-evcorr-users

# Raw SYSLOG events we wish to process
## Oct 03 2011 18:42:41: %ASA-4-113019: Group = 12.34.56.78, Username = 12.34.56.78, IP = 12.34.56.78, Session disconnected. Session Type: IPsec, Duration: 0h:10m:57s, Bytes xmt: 17128, Bytes rcv: 61611, Reason: User Requested
## Oct 03 2011 18:42:41: %ASA-4-113019: Group = 12.34.56.78, Username = 12.34.56.78, IP = 12.34.56.78, Session disconnected. Session Type: IPsec, Duration: 0h:10m:57s, Bytes xmt: 17128, Bytes rcv: 61611, Reason: Lost Service
## Oct 03 2011 18:51:41: %ASA-5-713119: Group = 12.34.56.78, IP = 12.34.56.78, PHASE 1 COMPLETED
## Oct 03 2011 18:51:41: %ASA-5-713120: Group = 12.34.56.78, IP = 12.34.56.78, PHASE 2 COMPLETED (msgid=286ecdca)

# Load Hashes
# - Requires: sec.pl to be run with -intevents parameter so it can trap the STARTUP, RESTART or SOFTRESTART
# - Returns: the count hashes loaded into /var/log/sec
type=Single
desc=Load hashes at startup
ptype=RegExp
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( undef $asa5500; open(FILE, "</etc/sec/friendlynames.txt"); \
    while (<FILE>) { chomp; my ($key, $val) = split /=/; $asa5500{"$key"} = $val; }; return scalar(keys %asa5500);)

# Trap All Relevant IDs
# - Will trap 113019, 713119, 713120 events and add them to a context of vpn_12.34.56.78
type=Single
ptype=RegExp
pattern=ASA-[45]-[17]13[01][1290]{2}.*IP = (\d+\.\d+\.\d+\.\d+)
context= =($asa5500{"$1"})
continue=TakeNext
desc=$0
action=add vpn_$1 $0;

# Trap Initial Down
# - Traps the first 113019 message (and ignores the rest until completed, this can also be accomplished as a SingleWithSuppress)
# - /home/scripts/announce.php is a custom script which sends out notifications to phones and desktops
# - The report sends out the current contents of vpn_12.34.56.78.
type=Single
ptype=RegExp
pattern=ASA-4-113019.*IP = (\d+\.\d+\.\d+\.\d+)
context= =($asa5500{"$1"}) && !ASAALERT_$1
continue=TakeNext
desc=[ERROR] VPN has been terminated.
action=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[ERROR] VPN for %site DOWN' noc@domain.name; \
        shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN DOWN" "%s" 1; create ASAALERT_$1

# Initial Time-Wait Period
# - This will either fire a message with the current contents of vpn_12.34.56.78 alerting you if:
#		- the vpn is still down after 'window' seconds (and will create a new context to keep monitoring)
#		- the vpn has returned within 'window' seconds (and will delete all contexts)
type=PairWithWindow
ptype=RegExp
continue=TakeNext
pattern=ASA-4-113019.*IP = (\d+\.\d+\.\d+\.\d+)
context= =($asa5500{"$1"})
desc=[CRITICAL] VPN DOWN and not up for 5 minutes.
action=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[CRITICAL] VPN for %site DOWN! (=5 Minutes)' noc@domain.name; \
        shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN DOWN" "%s" 1; create asa5500_$1
ptype2=RegExp
pattern2=ASA-5-713120.*IP = (\d+\.\d+\.\d+\.\d+)
context2= =($asa5500{"$1"})
desc2=[WARNING] VPN BOUNCE within 5 minutes.
action2=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[WARNING] VPN for %site UP! (<5 Minutes)' noc@domain.name; \
        shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN BOUNCED" "%s" 1; delete vpn_$1; delete ASAALERT_$1; delete asa5500_$1
window=300

# Monitor after Time-Wait Period has passed
# - If the vpn is still down after the above rule completes, this waits patiently until the vpn has returned and alerts you with the contents of vpn_12.34.56.78 and deletes all contexts.
type=Single
ptype=RegExp
pattern=ASA-5-713120.*IP = (\d+\.\d+\.\d+\.\d+)
context= =($asa5500{"$1"}) && asa5500_$1
continue=TakeNext
desc=[NOTICE] VPN RETURNED after over 5 minutes of downtime.
action=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[NOTICE] VPN for %site UP! (>5 Minutes)' noc@domain.name; \
        shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN RETURNED" "%s" 1; delete asa5500_$1; delete ASAALERT_$1; delete vpn_$1
	#############
	# asavpn.sec
	# - Designed by jnovack@gmail.com (with the help of the simple-evcorr-users@lists.sourceforge.net)
	#
	# Design considations:
	# - The friendlynames.txt purpose is to generate the alerts with a user-supplied name. In the example, 12.34.56.78 is more easily remembered as "Remote Site 1". The alerts contain the friendly name.
	# - The file friendlynames.txt contains 1 entry per line in the form of "12.34.56.78=REMOTE SITE 1"
	# - I make heavy use of the SYSLOG levels in my emails so I can properly gauge my teams expected response time.
	# - The use of context= =($variable{"$1"}) ensure sec will only process the event if the hash entry exists. This is limited to your population of the friendlynames file. Easily ignore other IPs by not including them in friendlynames.txt
	#
	# References:
	# http://sourceforge.net/mailarchive/forum.php?thread_name=CAB3_BpNtA-XCndsiJUg9BsMsYWN%2BSeWFMWpDfYMz%3DZKkJTW5Vg%40mail.gmail.com&forum_name=simple-evcorr-users
	# http://sourceforge.net/mailarchive/forum.php?thread_name=CAB3_BpMxyi1%2BhK20P_8ctkK0csHgxYYNg89m0jaO0mKUavJthg%40mail.gmail.com&forum_name=simple-evcorr-users

	# Raw SYSLOG events we wish to process
	## Oct 03 2011 18:42:41: %ASA-4-113019: Group = 12.34.56.78, Username = 12.34.56.78, IP = 12.34.56.78, Session disconnected. Session Type: IPsec, Duration: 0h:10m:57s, Bytes xmt: 17128, Bytes rcv: 61611, Reason: User Requested
	## Oct 03 2011 18:42:41: %ASA-4-113019: Group = 12.34.56.78, Username = 12.34.56.78, IP = 12.34.56.78, Session disconnected. Session Type: IPsec, Duration: 0h:10m:57s, Bytes xmt: 17128, Bytes rcv: 61611, Reason: Lost Service
	## Oct 03 2011 18:51:41: %ASA-5-713119: Group = 12.34.56.78, IP = 12.34.56.78, PHASE 1 COMPLETED
	## Oct 03 2011 18:51:41: %ASA-5-713120: Group = 12.34.56.78, IP = 12.34.56.78, PHASE 2 COMPLETED (msgid=286ecdca)

	# Load Hashes
	# - Requires: sec.pl to be run with -intevents parameter so it can trap the STARTUP, RESTART or SOFTRESTART
	# - Returns: the count hashes loaded into /var/log/sec
	type=Single
	desc=Load hashes at startup
	ptype=RegExp
	continue=TakeNext
	pattern=SEC_STARTUP\|SEC_RESTART\|SEC_SOFTRESTART
	context=SEC_INTERNAL_EVENT
	action=eval %a ( undef $asa5500; open(FILE, "</etc/sec/friendlynames.txt"); \
	while (<FILE>) { chomp; my ($key, $val) = split /=/; $asa5500{"$key"} = $val; }; return scalar(keys %asa5500);)

	# Trap All Relevant IDs
	# - Will trap 113019, 713119, 713120 events and add them to a context of vpn_12.34.56.78
	type=Single
	ptype=RegExp
	pattern=ASA-[45]-[17]13[01][1290]{2}.*IP = (\d+\.\d+\.\d+\.\d+)
	context= =($asa5500{"$1"})
	continue=TakeNext
	desc=$0
	action=add vpn_$1 $0;

	# Trap Initial Down
	# - Traps the first 113019 message (and ignores the rest until completed, this can also be accomplished as a SingleWithSuppress)
	# - /home/scripts/announce.php is a custom script which sends out notifications to phones and desktops
	# - The report sends out the current contents of vpn_12.34.56.78.
	type=Single
	ptype=RegExp
	pattern=ASA-4-113019.*IP = (\d+\.\d+\.\d+\.\d+)
	context= =($asa5500{"$1"}) && !ASAALERT_$1
	continue=TakeNext
	desc=[ERROR] VPN has been terminated.
	action=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[ERROR] VPN for %site DOWN' noc@domain.name; \
	shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN DOWN" "%s" 1; create ASAALERT_$1

	# Initial Time-Wait Period
	# - This will either fire a message with the current contents of vpn_12.34.56.78 alerting you if:
	# - the vpn is still down after 'window' seconds (and will create a new context to keep monitoring)
	# - the vpn has returned within 'window' seconds (and will delete all contexts)
	type=PairWithWindow
	ptype=RegExp
	continue=TakeNext
	pattern=ASA-4-113019.*IP = (\d+\.\d+\.\d+\.\d+)
	context= =($asa5500{"$1"})
	desc=[CRITICAL] VPN DOWN and not up for 5 minutes.
	action=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[CRITICAL] VPN for %site DOWN! (=5 Minutes)' noc@domain.name; \
	shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN DOWN" "%s" 1; create asa5500_$1
	ptype2=RegExp
	pattern2=ASA-5-713120.*IP = (\d+\.\d+\.\d+\.\d+)
	context2= =($asa5500{"$1"})
	desc2=[WARNING] VPN BOUNCE within 5 minutes.
	action2=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[WARNING] VPN for %site UP! (<5 Minutes)' noc@domain.name; \
	shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN BOUNCED" "%s" 1; delete vpn_$1; delete ASAALERT_$1; delete asa5500_$1
	window=300

	# Monitor after Time-Wait Period has passed
	# - If the vpn is still down after the above rule completes, this waits patiently until the vpn has returned and alerts you with the contents of vpn_12.34.56.78 and deletes all contexts.
	type=Single
	ptype=RegExp
	pattern=ASA-5-713120.*IP = (\d+\.\d+\.\d+\.\d+)
	context= =($asa5500{"$1"}) && asa5500_$1
	continue=TakeNext
	desc=[NOTICE] VPN RETURNED after over 5 minutes of downtime.
	action=eval %site ( return $asa5500{"$1"}; ); report vpn_$1 /bin/mail -s '[NOTICE] VPN for %site UP! (>5 Minutes)' noc@domain.name; \
	shellcmd /usr/bin/php /home/scripts/announce.php "%site VPN RETURNED" "%s" 1; delete asa5500_$1; delete ASAALERT_$1; delete vpn_$1