Re: [fw-wiz] Syslog montioring and usage.

From: Marcus J. Ranum (
Date: 07/13/04

  • Next message: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799"
    To: "Chad Thomsen" <>, <>
    Date: Tue, 13 Jul 2004 10:16:16 -0400

    Chad Thomsen wrote:
    >I am trying to learn the ins and outs of using Syslog. I am at my
    >second job where I have installed and configure another Pix, but have
    >never really got into Syslog. I am currently using KIWI syslog daemon.
    >I would like to better find out what the messages mean, and how to track
    >down port scans, and other security related issues that syslog may
    >reveal. To sum it up I want to be able to have a good understanding of a
    >log file that comes form a Pix.

    There are dictionaries for Pix log messages on, which
    makes the Pix a whole lot easier for log analysis than most products
    out there. Figuring out what's important or not is hard. :( It's somewhat
    site-dependent, as well. You're on the right track, using Kiwi, and
    at least you're DOING something with your logs instead of ignoring
    them like most people do. is a site Tina Bird and I put together and
    maintain about log analysis stuff; there's a good amount of information
    there and some nice link-farms. I need to update the teaching schedule
    info. ;) I will be teaching a class on log analysis at USENIX, and SANS
    in New Orleans and Vegas.


    firewall-wizards mailing list

  • Next message: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799"