Re: [fw-wiz] Syslog montioring and usage.

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 07/13/04

  • Next message: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799" 
    To: "Chad Thomsen" <chad.thomsen@bramespecialty.com>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 13 Jul 2004 10:16:16 -0400

    Chad Thomsen wrote:
    >I am trying to learn the ins and outs of using Syslog. I am at my
    >second job where I have installed and configure another Pix, but have
    >never really got into Syslog. I am currently using KIWI syslog daemon.
    >I would like to better find out what the messages mean, and how to track
    >down port scans, and other security related issues that syslog may
    >reveal. To sum it up I want to be able to have a good understanding of a
    >log file that comes form a Pix.

    There are dictionaries for Pix log messages on cisco.com, which
    makes the Pix a whole lot easier for log analysis than most products
    out there. Figuring out what's important or not is hard. :( It's somewhat
    site-dependent, as well. You're on the right track, using Kiwi, and
    at least you're DOING something with your logs instead of ignoring
    them like most people do.

    http://www.loganalysis.org is a site Tina Bird and I put together and
    maintain about log analysis stuff; there's a good amount of information
    there and some nice link-farms. I need to update the teaching schedule
    info. ;) I will be teaching a class on log analysis at USENIX, and SANS
    in New Orleans and Vegas.

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799"

    Relevant Pages

    • Re: [fw-wiz] parsing logs ultra-fast inline
      ... common events instead. ... update log analysis tools, and which has not: ... Most of your logging messages should correspond to the stuff the program is ... forms of syslog messages in 10 years of syslog data. ...
      (Firewall-Wizards)
    • RE: where should I start? help!
      ... you could also use the syslog feature in any *NIX system ... Plus there are tons of log analyzers for ... from your PIX to the listening device. ... and you can have more than one logging host system if need be. ...
      (Security-Basics)
    • Re: [fw-wiz] Syslog montioring and usage.
      ... While the PIX doesn't have a "port scan" syslog message it does log what it ... source IP address of the packets, as well as the protocol and port the ...
      (Firewall-Wizards)
    • RE: [fw-wiz] pix 501 logging question
      ... it's a deny, right?), which would lead to more syslog data from persistent ... log level for access-list logging is 6, but if you can see one you should ... You don't need to force the PIX to log these denials, ... access-list inbound permitted tcp outside/205.206.xxx.xxx-> ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Syslog montioring and usage.
      ... front of the pix so I can see how well it is doing. ... together a list of PIX syslog messages that IMO deserve "special" ... > Cisco publishes the definitions of all of the syslog messages that can ... > be generated by a PIX firewall: ...
      (Firewall-Wizards)