Tina, I think I got it. You look for : >Host OS messages as applicable We only have the one OS in PIX and we log what's happening. >Configuration changes Yes. We log when ever the configuration is changed and who did it. >Adds/deletes/changes of admin accounts If the account is defined locally then that would be a configuration change. >Administrative traffic from .unexpected. locations (like the Internet) Hmm. We have the concept of a management interface. If someone tries to get at management from a non-management interface we don't allow the connection. I don't know off the top if we issue a log message. I recall a debate about creating a DOS if we did. I'll check. >Connection logs (start/stop/amt of data) We got that. It's in multiple messages and requires off box analysis. and you wanted to know: >questions to the list: > >1) what kinds of noteworthy firewall events have i missed? When you said "Host OS messages as applicable"; the way I interpret that is there are three buckets into which I throw messages. Messages that are issued as part of the normal operation go in one bucket. Messages that are issued irregularly when defined things happen go into another bucket. And then there are messages that signal a problem that go into a "red" bucket. So for my three "buckets" I do this: - I like to count the normal operations messages and make sure that I create some baseline (between x-y per hour or y-z per day). This baseline is a kind of load gauge for the device. - The "irregular" messages usually require correlation with other conditions or events. If someone were auditing what I was doing they would ask about those. I should have an explanation. How often I do that depends on what I can get away with (audit interval). - The "problem" messages are the ones that I want to be paged about. Things will soon or have already gone pear shaped and something needs to be done soon. >2) for the default logging config on <insert name of your fave firewall >here), which of these events get logged? which don't? Inserting PIX: We log events that fall into all these buckets. Some functionality (like failover) is amazingly well logged and can fall into multiple categories. Most of the time I talk to people about this they ask me to tell them about "events". Analyzing log data I can put most people to sleep telling you about this, that, and the other events. The challenge here is for someone to come up with a really good list of events that we should tell everyone about. The ICSA Firewall program folks have done a decent job of heading down that road. >3) is the logging config controlled anywhere other than in >/etc/syslog.conf? In PIX the logging configuration is controlled by what's in the local configuration file. >4) if stuff's not in syslog or equiv, where is it and how can i grab it? The only stuff that isn't in the syslog is stored in a (pcap) file. The PIX can also capture traffic, store it locally (so what you can capture is based on memory in your PIX), and then push that file over to a TFTP server for further analysis. >5) can you contribute sample data, with details of non-standard logging >configs, for any of these events? Yes. Liberty for All, Brian At 10:26 PM 10/21/2003 -0700, Tina Bird wrote: >so here's my list of events on a firewall i'd like to keep track of: > >Host OS messages as applicable >Configuration changes >Adds/deletes/changes of admin accounts >Administrative traffic from .unexpected. locations (like the Internet) >Connection logs (start/stop/amt of data) > >on FW-1, config changes from the GUI are stored in a text file called >$FWDIR/logs/cpmgmt.aud -- which i can clearly grab and push to syslog. >config changes from the command line are written to syslog directly. new >users with root privs are logged to syslog. user deletes and changes are >harder to track. connection logs can be grabbed in a variety of ways and >are easier to handle if i name them in obvious ways (and figure out a way >to get the number-to-name mapping into the logs directly) (i don't know if >it's possible to get fw-1 to log with rule names rather than numbers). > >questions to the list: > >1) what kinds of noteworthy firewall events have i missed? >2) for the default logging config on <insert name of your fave firewall >here), which of these events get logged? which don't? >3) is the logging config controlled anywhere other than in >/etc/syslog.conf? >4) if stuff's not in syslog or equiv, where is it and how can i grab it? >5) can you contribute sample data, with details of non-standard logging >configs, for any of these events? Brian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/ The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Oct 24 2003 - 15:32:54 PDT