RE: [logs] PIX logging

• Previous message: Luis Toloza: "[logs] Windows Logs Auditing"
• Maybe in reply to: Marius Baicoianu: "[logs] PIX logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello dear all,

       We are making a threat management tool using many open source tools
to take PIX's logs. We need  take logs from differents countries.The project
use, remote logservers on each country to take the logs from routers , IDS ,
PIX and Webservers. These events are filtered and sended to a central
logserver. The central logserver made a correlation with these events and
show the events and the new correlation on Java console.

       To take the Pix logs we are using logsnorter, to take the external
router logs we are using a sthealt rule on IDS and Snort is the IDS.

       I send you a snapshot of the Java console and the statistic console.

       Today we are using these tool with two countries, and we are thinking
to implementent on three countries more.

       You can see on the statistic snapshot, that on 16hs we have a lot's
the events. We are testing the solution using nmap.

Best Regards.

PD: I apologize for my poor english.   


=======================================
Julio Jaime
Americas Zone Security Administrator
Accor Services - Servicios Ticket S.A.
Av. Díaz Vélez 4367
(C1200 AAK) Bs. As. - Argentina
Tel.:  (54-11) 4909-1375
Fax.: (54-11) 4909-1394
jjaime@accorservices.com.ar
=======================================
----------------------------------------------------------------------------
-------------------------------
Este mensaje electrónico y todos los archivos adjuntos que contiene son
confidenciales y se encuentran destinados, exclusivamente, a la persona a
quien han sido dirigidos. Si ha recibido este mensaje por error, agradecemos
la inmediata devolución a su emisor. La publicación, el uso, la
distribución, la impresión o la copia no autorizada de este mensaje y del
contenido de los archivos adjuntos se encuentran estrictamente prohibidos.
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error please send it back to the person that sent it
to you. Unauthorized publication, use, dissemination, forwarding, printing
or copying of this email and its associated attachments is strictly
prohibited.
Ce message électronique et tous les fichiers attachés qu'il contient sont
confidentiels et destinés exclusivement à l'usage de la personne à laquelle
ils sont adressés. Si vous avez reçu ce message par erreur, merci de le
retourner à son émetteur. La publication, l'usage, la distribution,
l'impression ou la copie non autorisée de ce message et des attachements
qu'il contient sont strictement interdits.
----------------------------------------------------------------------------
--------------------------------


             

-----Mensaje original-----
De: Brian Ford [mailto:brford@cisco.com]
Enviado el: Martes, 29 de Julio de 2003 05:18 p.m.
Para: Marius Baicoianu
CC: LogAnalysis@lists.shmoo.com
Asunto: Re: [logs] PIX logging


Marius,

I think you've made a great start.

What I would suggest next would be to ask yourself a few (at least these 
10) questions about the log data before you.  The first time you do this it 
could take a day (or more).  But eventually you will be able to do this 
within 20 minutes.  It often depends on what tools you are comfortable with 
and use.

Q1: How many log messages were recorded today? (#)  Make a record of that 
number of a calendar or in a journal.  It is the starting point for your 
log analysis.

Q2: Is that more or less messages than the day before?  How much more or 
less (%)?  This helps you figure out if things are normal and running 
within a set baseline.

Q3: Is that more or less messages than the same day last week?  How much 
more or less (%)?  This is a check that I do to check to make sure that my 
baseline doesn't drift too badly.

Q4: Can you explain why for Q2 or Q3?  If you see much more data today in 
both the day and the week before; you need start asking yourself some more 
questions like was there a rule that blocked many connections (in PIX v6.3 
look for message 106023); is someone scanning the Firewall and creating 
lots of half dead connections (they have associated message numbers too); 
or do I have the log level set too high.  If you see much less data you 
need to figure out if something is broken or mis-configured (or if today is 
the day after a day off or holiday).

Q5:  What is the message breakdown by level?  Lots of web surfing (normal 
activity) generates lots of level 6 and 7 messages.  That might explain an 
increase in the number of log messages aggressive surfing).  Or it could be 
scans (level 3,4,5 messages).  Or bad rules (if I just modified the 
rules).  Again, establish a baseline of "normal" activity.

Q6: Am I seeing (m)any messages that indicate hardware or configuration 
issues?  Those would be at the lower levels (1,2,3).  Some people make this 
Q2 when they first install their PIX until they get used to it.

Q7:  Did you see PIX v6.x Syslog message ID 199002 in the log?  Can you 
explain why that is in there?

Q8: Are there any new messages that I have not seen before?  if so, why are 
they there?

Q9:  What is the top denied protocol? How did it get denied?

Q10:  What are the top 5 denied IP addresses?  How did they get denied?

These are just ten of the rules that I talk about and often use.  I have 
like 30 more solid rules written down somewhere.

Liberty for All,

Brian


At 11:27 AM 7/29/2003 -0700, Marius Baicoianu wrote:
>Hi,
>
>I have red your messages in reference with the PIX
>logging and I would like to ask you few things:
>- after you configure syslog and logrotate to log and
>rotate my system logs what do I do next?
>- do you have a easy way to review these logs? scripts
>or procedures? I'am able to have all the PIX logs on a
>syslog server, and I am able to cut them daily, but I
>don't know what I suppose to do next....How can I
>review so much info?
>
>Please help.
>Thanks.
>
>
>__________________________________
>Do you Yahoo!?
>Yahoo! SiteBuilder - Free, easy-to-use web site design software
>http://sitebuilder.yahoo.com
>_______________________________________________
>LogAnalysis mailing list
>LogAnalysis@lists.shmoo.com
>http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis

• application/octet-stream attachment: correlation.jpg

• application/octet-stream attachment: nemo001.jpg

• Next message: Tina Bird: "[logs] Auditing vs. logging"
• Previous message: Luis Toloza: "[logs] Windows Logs Auditing"
• Maybe in reply to: Marius Baicoianu: "[logs] PIX logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 12:58:54 PDT