Firewall Wizards mailing list archives
RE: Syslog montioring and usage.
From: "Wes Noonan" <mailinglists () wjnconsulting com>
Date: Fri, 16 Jul 2004 12:21:14 -0500
When I wrote the chapter on syslog for my book (actually it is part of the network management chapter, but I digress) I finally got around to putting together a list of PIX syslog messages that IMO deserve "special" recognition. I've never really found a good resource that says "monitor these messages" and I figured if I wanted a list I might as well make it myself. Anyway, I put that list out on my website under the whitepapers section. The direct link is here: http://www.wjnconsulting.com/WJNConsulting/Whitepapers/syslog.htm HTH Oh, and if anyone comes across other messages that should be added, please let me know and I will update the website accordingly. Thanks. Wes Noonan mailinglists () wjnconsulting com http://www.wjnconsulting.com Hardening Network Infrastructure - A concise how to guide Available Now Order at http://tinyurl.com/53pp6
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards- admin () honor icsalabs com] On Behalf Of Melson, Paul Sent: Wednesday, July 14, 2004 08:00 To: Chad Thomsen; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Syslog montioring and usage. Cisco publishes the definitions of all of the syslog messages that can be generated by a PIX firewall: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63 syslog/index.htm As far as the 'IDS' syslog messages that it generates, keep in mind that the PIX is only capable of "atomic" checks, meaning that it only alerts on the behavior of a single packet. Aside from some older DoS attacks and certain types of stealth port scans, the PIX is useless as an IDS. PaulM PS - If you want to see everything the PIX can to the syslog server, make sure 'logging console debugging' is set in the config. Of course, on a busy firewall, this can lead to ~300MB/day in log files, so it may only be useful for a short period of time or when used in conjunction with automated log analysis software.-----Original Message----- I am trying to learn the ins and outs of using Syslog. I am at my second job where I have installed and configure another Pix, but have never really got into Syslog. I am currently using KIWI syslog daemon. I would like to better find out what the messages mean, and how to track down port scans, and other security related issues that syslog may reveal. To sum it up I want to be able to have a good understanding of a log file that comes form a Pix._______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Syslog montioring and usage. Chad Thomsen (Jul 13)
- Re: Syslog montioring and usage. Chris Todd (Jul 15)
- Re: Syslog montioring and usage. Marcus J. Ranum (Jul 15)
- Re: Syslog montioring and usage. Josh Welch (Jul 15)
- Re: Syslog montioring and usage. Greg Skouby (Jul 15)
- Traffic generating tool survey David Lang (Jul 19)
- RE: Traffic generating tool survey lordchariot (Jul 19)
- Traffic generating tool survey David Lang (Jul 19)
- Re: Syslog montioring and usage. Ng Pheng Siong (Jul 15)
- Re: Syslog montioring and usage. Adrian Grigorof (Jul 19)
- <Possible follow-ups>
- RE: Syslog montioring and usage. Melson, Paul (Jul 15)
- RE: Syslog montioring and usage. Wes Noonan (Jul 19)
- RE: Syslog montioring and usage. Chad Thomsen (Jul 19)
- RE: Syslog montioring and usage. Wes Noonan (Jul 19)
- Re: Syslog montioring and usage. Roger Marquis (Jul 19)
- Re: Syslog montioring and usage. Brian Ford (Jul 19)