Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix FW Syslog filtering Help 3

Status
Not open for further replies.
tdsec

tdsec

MIS
Mar 31, 2003
2
US
Hey everyone,
Its my job to monitor all the firewall syslogs daily. Other than the obvious error of having the date stamp logging the wrong date/time. What other messages can I filter out so I don't have to look at so much information?

Any help is greatly appreciated!

TDSec
 
Sort by date Sort by votes
I use an outside application to log to database and query that. "If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
Hey Haknwak,
Thanks for your comments. I too use an outside application. The problem is that the firewall syslogs aren't filtered at all and the amount of data I'm getting is bringing my db to a halt. Ideally, I'd like to suppress some messages at the firewall. Then, filter and dispose of messages that are not needed for internal investigations. Your continued input is appreciated.

TDSec
 
Upvote 0 Downvote
that sux - I don't think there is any filtering per se. Since there are only seven levels to choose from, you need to analyze the levels and what information they give then decide what is the lowest level you can live with.

Or to look at it another way - what are the largest number of messages you would like to eliminate? Look at what you have, sort them by type, look at the most useless ones to you, and set the level to one that just elimiates the messages.

The drawback here is that, if you need to analyze an incident, you won't always get the full picture of all activity from a selected source or to a destination.

Can you tell your logging software to ignore things like ICMP even though the syslog sends it?

This is the PIX 6.2 messages sorted by severity level

ps - My MS SQL database is huge as well but I have luxury of a nice dual processor server and large disk space. I also prune the database every 90 days after backing up each month in its entirety to a ms access file for future reference.

I use insideout - "If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
Here's what I do. I set up the log to go to a computer running Kiwi's Syslog Daemon.

I set it up so that everyday, I archive the previous days log to a file. This happens right around 12:01 am or so. At about 3:00 am, a VBScript I wrote goes through the log, and separates out all of the IDS messages, and puts them into a separate CSV file. It then counts the incidents of each IDS type, and sends the result to me in an e-mail.

In the morning, I check the IDS counts, if something appears strange, I then go check the IDS log file. Otherwise, I don't have to spend the time to do it.
 
Upvote 0 Downvote
Here's a suggestion:

Instead of relying on one log file for everything, set up as many as eight different files (one for each level).

All events related to security are in level 4 and below. Level 5 shows you URL accesses. Level six shows the firewall building and tearing down xlates, and FTP accesses, so I'm not sure if you'll need that info.

I think you'll find yourself going to the level 3 file (which includes 1 and 2 by the way) more often than going to six.

It's a quick and dirty way of filtering out the non-essential stuff. Alternatively, you could just create one file for level 3 and below and another file for all else.

I started with seven different files so I could tell what is esential and not essential. Evencutally, I wrote my own log system for the PIX that uses MySQL and Apache to view the reports. But that was only after I was comfortable with the log output.
 
Upvote 0 Downvote
What level, or what identifies VPN connectivity, sucj as logon/logoff?
Mike
 
Upvote 0 Downvote
HI.

If you are using XAUTH with RADIUS, it is best to track VPN logon activity at the RADIUS server logs.
I'm not sure about logoff events.

You can also try to play with "aaa accounting" commands, but I haven't try that and I don't know if and how it works regarding VPN.

In syslog messages, you can search for:

%PIX-6-109002: Auth from 0.0.0.0/0 to ... failed ...

%PIX-6-109005: Authentication succeeded for user ...
%PIX-6-109011: Authen Session Start: user ...
%PIX-6-602301: sa created ...
%PIX-6-602302: deleting SA ...
And some other, look here:

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Now I must thank everyone in this thread!!
I snagged all the contents for reference. It is much appreciated that you share your methods of analyzing logs!!

"If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
576
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
220
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
321
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top