Re: [fw-wiz] Syslog montioring and usage.
From: Marcus J. Ranum (mjr_at_ranum.com)
To: "Chad Thomsen" <email@example.com>, <firstname.lastname@example.org> Date: Tue, 13 Jul 2004 10:16:16 -0400
Chad Thomsen wrote:
>I am trying to learn the ins and outs of using Syslog. I am at my
>second job where I have installed and configure another Pix, but have
>never really got into Syslog. I am currently using KIWI syslog daemon.
>I would like to better find out what the messages mean, and how to track
>down port scans, and other security related issues that syslog may
>reveal. To sum it up I want to be able to have a good understanding of a
>log file that comes form a Pix.
There are dictionaries for Pix log messages on cisco.com, which
makes the Pix a whole lot easier for log analysis than most products
out there. Figuring out what's important or not is hard. :( It's somewhat
site-dependent, as well. You're on the right track, using Kiwi, and
at least you're DOING something with your logs instead of ignoring
them like most people do.
http://www.loganalysis.org is a site Tina Bird and I put together and
maintain about log analysis stuff; there's a good amount of information
there and some nice link-farms. I need to update the teaching schedule
info. ;) I will be teaching a class on log analysis at USENIX, and SANS
in New Orleans and Vegas.
firewall-wizards mailing list