Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Transfering off-system firewall audit trails

From: Lance Spitzner <spitzner () dimension net>
Date: Sat, 12 Jun 1999 10:53:52 -0400 (EDT)
On Thu, 10 Jun 1999, Steven W. Engle wrote:


Can these firewalls
o     Borderware
o     Guantlet
o     Checkpoint Firewall-1
o     Raptor

transfer in "real-time" their audit trails to some other system (via
'syslogd' or something equivelent)?

For those that have set-up this this type of functionality, what processes
and/or automation are you performing on the receipient system to make use
of the audit trails? What is/are the end result(s) of this processing /
automation?


I can only speak for FW-1.  You have two options for 'real-time' audit
trailing.  One is using  User Defined alerts to track and monitor
scans, usages, etc.  See http://www.enteract.com/~lspitz/intrusion.html
With this setup I receive emails/pages whenever the system is scanned,
with all logs archived to a file.

Or, you can have alerts/logs pumped to syslogd with /usr/ucb/logger
command.  You define this as your User Defined alert, and all alerts
go through syslogd, which you can track with utilities such as swatch.
I have successfully used both option.  If you would like more info,
email me.

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc
Previous By Date Next
Previous By Thread Next

Current thread: