Using Plink to log commands from your SSH/telnet devices

When it comes to monitoring a network, there are dozens of tools out there that an administrator can use to log information. However no amount of syslog or SNMP data can beat the detail of the commands you have at your disposal from inside a network device itself. Any Cisco junkie knows the value of the “show” commands, so how neat would it be if you could dump the output of one of these commands into a log? By the time an administrator can connect into a device to perform diagnostics, an event may already be over and everyone is left scratching their heads. Chasing a phantom issue can cause a lot of stress, so let’s find a way to capture diagnostic data from a device at the moment an event occurs.

Let’s take an example from a recent event that my coworkers and I encountered. A Cisco ASA can have thousands and thousands of connections open to it at any given time, and each model of ASA is rated for a certain number of these connections at once (based on the hardware capacity of that model). If your network grows to the point where the firewall approaches or exceeds this connection limit, there can be issues. My team and I experienced a total failure in the ASA’s ability to pass traffic when the connections reached a certain level… YIKES! What we needed to find out was which hosts were causing so many open connections. Here is a quick tutorial on how to accomplish this task using the alerting engine from SolarWinds Orion. Here’s the theory:

  • Step 1: An alert is triggered when the ASA’s connection count is equal to or greater than a number that we know is the limit for our hardware.
  • Step 2: The alert launches a batch file that contains a command to run Plink, a command line version of everyone’s favorite tool PuTTY.
  • Step 3: Plink SSH’s into our ASA, runs a variety of “show” commands, then dumps the output to a text file.

So let’s get started. In SolarWinds, the trigger action for an alert can be set to “Execute Program”, which does exactly what it sounds like. Your target program should be a batch file that launches Plink. Here’s a screenshot:

1

And here are the contents of “plinkscript.bat”:

C:\plink.exe -ssh -l USERNAME -pw PASSWORD -m “C:\ciscoscript.txt” DEVICE_IP > C:\ASAconnectionsOutput.txt

Let’s break it down.


C:\plink.exe –ssh –l USERNAME –pw PASSWORD

This is where we launch Plink. The command tells it to use SSH to build the connection, and passes a username and password to the target device for login. Please don’t use telnet, let’s be real.


-m “C:\ciscoscript.txt”

This part of the command is what tells Plink which commands to run. The commands are located in a text file called ciscoscript.txt. If your command generates lots of output, on the next line you can include a bunch of spaces so Plink can capture it all. The commands below give us a live view of which devices on our network have at least 500 connections open to the ASA:

en
password
show local-host connection embryonic 500 | in host|count/limit
[insert spaces here]
show local-host connection tcp 500 | in host|count/limit
[insert spaces here]
show local-host connection udp 500 | in host|count/limit
[insert spaces here]
exit


DEVICE_IP > C:\ASAconnectionsOutput.txt

The last part of the command tells Plink which device to connect to, and then redirects the output from the SSH connection to a file of your choosing, in this case a text file named ASAconnectionsOutput.txt.

So now we wait for the alert to be triggered, then we can open that file. You might see your Exchange server in there, or perhaps a monitoring system like SolarWinds! In this case it was immediately obvious who the culprits were. The highlighted number was the largest amount of connections in the entire file, so we were able to see which client was causing such a ruckus.

2

This concept can be applied to ANY command for ANY device that accepts a remote connection. The sky’s the limit! You could check CDP neighbors on an entire network by scripting this to run on every Cisco device, you can view routes, check which processes are eating up the CPU during those random spikes, or use this as a method to create backups of your configs.

Thanks for reading!

2 Comments

  1. Craig

    Excellent script which I have just tested and is working perfect for me.

    We do have a number of ASA’s so was just wondering (due to my lack of scripting knowledge) how i could run this script against multiple ASA’s?

    Reply
    1. Nick Zourdos (Post author)

      Hi Craig,

      You can add a new line to the plinkscript.bat file with another connection string. I have used this to run commands against 80+ ASA’s at once and it works well! Here is an example:


      C:\plink.exe -ssh -l USERNAME -pw PASSWORD -m “C:\ciscoscript.txt” DEVICE_IP > C:\ASAconnectionsOutput.txt

      C:\plink.exe -ssh -l USERNAME -pw PASSWORD -m “C:\ciscoscript.txt” NEXT_DEVICE_IP > C:\ASAconnectionsOutput.txt

      C:\plink.exe -ssh -l USERNAME -pw PASSWORD -m “C:\ciscoscript.txt” YET_ANOTHER_DEVICE_IP > C:\ASAconnectionsOutput.txt

      If you wanted you could even specify a different ciscoscript.txt file for each device, so that you could deploy one set of commands to a specific ASA and a completely new set of commands to a different ASA.

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *