Marius, I think you've made a great start. What I would suggest next would be to ask yourself a few (at least these 10) questions about the log data before you. The first time you do this it could take a day (or more). But eventually you will be able to do this within 20 minutes. It often depends on what tools you are comfortable with and use. Q1: How many log messages were recorded today? (#) Make a record of that number of a calendar or in a journal. It is the starting point for your log analysis. Q2: Is that more or less messages than the day before? How much more or less (%)? This helps you figure out if things are normal and running within a set baseline. Q3: Is that more or less messages than the same day last week? How much more or less (%)? This is a check that I do to check to make sure that my baseline doesn't drift too badly. Q4: Can you explain why for Q2 or Q3? If you see much more data today in both the day and the week before; you need start asking yourself some more questions like was there a rule that blocked many connections (in PIX v6.3 look for message 106023); is someone scanning the Firewall and creating lots of half dead connections (they have associated message numbers too); or do I have the log level set too high. If you see much less data you need to figure out if something is broken or mis-configured (or if today is the day after a day off or holiday). Q5: What is the message breakdown by level? Lots of web surfing (normal activity) generates lots of level 6 and 7 messages. That might explain an increase in the number of log messages aggressive surfing). Or it could be scans (level 3,4,5 messages). Or bad rules (if I just modified the rules). Again, establish a baseline of "normal" activity. Q6: Am I seeing (m)any messages that indicate hardware or configuration issues? Those would be at the lower levels (1,2,3). Some people make this Q2 when they first install their PIX until they get used to it. Q7: Did you see PIX v6.x Syslog message ID 199002 in the log? Can you explain why that is in there? Q8: Are there any new messages that I have not seen before? if so, why are they there? Q9: What is the top denied protocol? How did it get denied? Q10: What are the top 5 denied IP addresses? How did they get denied? These are just ten of the rules that I talk about and often use. I have like 30 more solid rules written down somewhere. Liberty for All, Brian At 11:27 AM 7/29/2003 -0700, Marius Baicoianu wrote: >Hi, > >I have red your messages in reference with the PIX >logging and I would like to ask you few things: >- after you configure syslog and logrotate to log and >rotate my system logs what do I do next? >- do you have a easy way to review these logs? scripts >or procedures? I'am able to have all the PIX logs on a >syslog server, and I am able to cut them daily, but I >don't know what I suppose to do next....How can I >review so much info? > >Please help. >Thanks. > > >__________________________________ >Do you Yahoo!? >Yahoo! SiteBuilder - Free, easy-to-use web site design software >http://sitebuilder.yahoo.com >_______________________________________________ >LogAnalysis mailing list >LogAnalysisat_private >http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 13:41:59 PDT