Re: Syslog montioring and usage.

["Marcus J. Ranum" <mjr () ranum com>]

Chad Thomsen wrote:
> I am trying to learn the ins and outs of using Syslog.  I am at my
> second job where I have installed and configure another Pix, but have
> never really got into Syslog.  I am currently using KIWI syslog daemon.
> I would like to better find out what the messages mean, and how to track
> down port scans, and other security related issues that syslog may
> reveal. To sum it up I want to be able to have a good understanding of a
> log file that comes form a Pix. 


There are dictionaries for Pix log messages on cisco.com, which
makes the Pix a whole lot easier for log analysis than most products
out there.  Figuring out what's important or not is hard. :( It's somewhat
site-dependent, as well. You're on the right track, using Kiwi, and
at least you're DOING something with your logs instead of ignoring
them like most people do.

http://www.loganalysis.org is a site Tina Bird and I put together and
maintain about log analysis stuff; there's a good amount of information
there and some nice link-farms.  I need to update the teaching schedule
info. ;) I will be teaching a class on log analysis at USENIX, and SANS
in New Orleans and Vegas.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards