I've recently setup syslogging on my two main PIX's. I'm using Kiwi Syslog daemon and I've set the logging level to warnings. I've setup the syslog daemon to log these entries to a SQL database.
I'm getting quite a bit of information but I am not sure what to do with it or how to process it all. eg. and entry such as this:
%PIX-4-106023: Deny udp src outside:195.172.178.18/4250 dst inside:x.x.x.x/137 by access-group "acl_out"
would suggest someone trying to connect on port 137 correct?
The problem with this is that how do I parse all the entries for stuff I am actually interested in or that reveals interesting information about people eg. trying to get into my network without having to read through hundreds of entries every day?
Is there some kind of program that can do this for you - I mean I am sure I do not know half of the things that people get up to when trying to break into a network so for me to write a SQL query to parse the information would be ineffective - and would also take ages since I don't know that much SQL!
In addition what does Cisco categorise as a warning event, critical or otherwise, a search through Cisco's site as usual produces nothing useful and googling just produces a list of text books.
I'm getting quite a bit of information but I am not sure what to do with it or how to process it all. eg. and entry such as this:
%PIX-4-106023: Deny udp src outside:195.172.178.18/4250 dst inside:x.x.x.x/137 by access-group "acl_out"
would suggest someone trying to connect on port 137 correct?
The problem with this is that how do I parse all the entries for stuff I am actually interested in or that reveals interesting information about people eg. trying to get into my network without having to read through hundreds of entries every day?
Is there some kind of program that can do this for you - I mean I am sure I do not know half of the things that people get up to when trying to break into a network so for me to write a SQL query to parse the information would be ineffective - and would also take ages since I don't know that much SQL!
In addition what does Cisco categorise as a warning event, critical or otherwise, a search through Cisco's site as usual produces nothing useful and googling just produces a list of text books.