RE: [fw-wiz] Syslog set up

From: Bob Wanamaker - Avant Systems, Inc. (rlw_at_avantsystems.com)
Date: 07/23/03

  • Next message: parul devgan: "[fw-wiz] ip track through natting"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 23 Jul 2003 12:15:28 -0400
    
    

    Greetings.

    IMO, depends on what you're doing with the PIX and what you can digest. I
    have one client configuration with a 515 at the hub, serving as firewall and
    VPN terminus; about 30 506's connect branches to the hub location via
    tunnels; a handful of users connect via VPN clients and RADIUS
    authentication. All branch traffic is tunnelled, i.e., there is no access
    permitted to outside address from the branch locations. An application
    level WWW proxy server and an SMTP server on the internal hub network are
    the only IPs permitted to establish conversations with the outside world,
    and then only on the required ports.

    All syslogging is done to the hub. 515 is set to level warning; 506's are
    set to level warning. At this level, the logs are somewhat manageable; I
    log to a SQL database, and have some simple queries to give me the view I
    want. It tends to be a bit cumbersome at times, b/c any client [out of 500
    or so] which attempts to connect to an outside IP gets logged - but that's
    really a good thing, b/c I quickly see which workstations are potentially
    compromised. Events are simultaneously logged to a text file for archive
    purposes, and those file sizes are in the 10Mb range daily. I run through
    my SQL queries at least 4 times a week.

    I really think it becomes a function of what you can digest - if you're
    going to log, you should read your logs, otherwise there's no point. Be
    prepared to have some tools to make it through the logs. Reading the plain
    text is pretty painful and never yields a good look at the data, at least
    for me.

    The only time this changes is when implementing a change, then I'll set to
    level debug as needed.

    Best regards,

    Bob

     -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com]
    Sent: Thursday, July 17, 2003 5:32 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Syslog set up

    I am looking for a document or suggestions on setting up what events to log
    on a Cisco PIX. I am not concerned about following our security policy yet
    I just need a 'Best Practice" type of document to get started from.

    Thanks for your input.

    Doug Garrison

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: parul devgan: "[fw-wiz] ip track through natting"

    Relevant Pages

    • RE: ISA 2004 Firewall client
      ... The green arrow only shows up when the client needs to initiate a ... firewall session. ... Part 3: I want to explain How the logs and sessions work: ... Collect the ISA firewall client configuration information ...
      (microsoft.public.windows.server.sbs)
    • Re: 1058 and 1030 errors revisited
      ... Are you sure about the symptoms ie when the11th or 12th user logs ... Does the issue occour only on some machines? ... We have four servers to ... There are about sixty client ...
      (microsoft.public.windows.group_policy)
    • Re: Firewall Client Deployment
      ... data\microsoft\firewall client 2004" ... the FWCMgmt item in the Start Menu, an install script runs but errors out, ... When an "administrator" logs into the XPSP2 machine, ... I am currently testing deployment scenarios for the firewall client software ...
      (microsoft.public.isa.clients)
    • Re: 1058 and 1030 errors revisited
      ... from what I can see when I look at the event logs on all ... minutes on that client. ... I watched the Network Monitor on the server adapters this ... We have four servers to ...
      (microsoft.public.windows.group_policy)
    • Re: DHCP Problem
      ... Unable to contact a DHCP server. ... The client computer's logs are a mess due to not being able to renew ip ... Denied Connections started showing up in the ISA logs seconds ...
      (microsoft.public.backoffice.smallbiz)