Re: [logs] firewall logging and rulesets

From: Bill Mathews (billford@private)
Date: Fri Oct 24 2003 - 16:40:33 PDT

  • Next message: Tina Bird: "[logs] stupid question about facility and level"

    Brian,
    
       I've used the Pix quite a bit. I've never seen it log configuration
    changes and who did them. Where would I see that, in the standard
    syslog output or is it the Cisco management stuff? I'm really
    interested in getting the Pix to get more details in the logging (love
    the 6.3 ACL logging, I think that rocks). I'd love to see a sample
    heavy logging config.
    
    Bill
    
    
    -- 
    Bill Mathews
    Open Source Software Advocate
    billford@private
    
    The wise and noble Brian Ford spiteth forth upon the land, these thoughts:
    > Tina,
    >
    > I think I got it.   You look for :
    >
    >>Host OS messages as applicable
    > We only have the one OS in PIX and we log what's happening.
    >
    >>Configuration changes
    > Yes.  We log when ever the configuration is changed and who did it.
    >
    >>Adds/deletes/changes of admin accounts
    > If the account is defined locally then that would be a configuration
    > change.
    >
    >>Administrative traffic from .unexpected. locations (like the Internet)
    > Hmm.  We have the concept of a management interface.  If someone tries to
    > get at management from a non-management interface we don't allow the
    > connection.  I don't know off the top if we issue a log message.  I recall
    > a debate about creating a DOS if we did.  I'll check.
    >
    >>Connection logs (start/stop/amt of data)
    > We got that.  It's in multiple messages and requires off box analysis.
    >
    > and you wanted to know:
    >>questions to the list:
    >>
    >>1) what kinds of noteworthy firewall events have i missed?
    >
    > When you said "Host OS messages as applicable"; the way I interpret that
    > is
    > there are three buckets into which I throw messages.  Messages that are
    > issued as part of the normal operation go in one bucket.  Messages that
    > are
    > issued irregularly when defined things happen go into another bucket.
    > And
    > then there are messages that signal a problem that go into a "red"
    > bucket.  So for my three "buckets" I do this:
    >
    > - I like to count the normal operations messages and make sure that I
    > create some baseline (between x-y per hour or y-z per day).  This baseline
    > is a kind of load gauge for the device.
    > - The "irregular" messages usually require correlation with other
    > conditions or events.  If someone were auditing what I was doing they
    > would
    > ask about those.  I should have an explanation.  How often I do that
    > depends on what I can get away with (audit interval).
    > - The "problem" messages are the ones that I want to be paged
    > about.  Things will soon or have already gone pear shaped and something
    > needs to be done soon.
    >
    >>2) for the default logging config on <insert name of your fave firewall
    >>here), which of these events get logged?  which don't?
    >
    > Inserting PIX:
    > We log events that fall into all these buckets.  Some functionality (like
    > failover) is amazingly well logged and can fall into multiple categories.
    >
    > Most of the time I talk to people about this they ask me to tell them
    > about
    > "events".    Analyzing log data I can put most people to sleep telling you
    > about this, that, and the other events.  The challenge here is for someone
    > to come up with a really good list of events that we should tell everyone
    > about.  The ICSA Firewall program folks have done a decent job of heading
    > down that road.
    >
    >>3) is the logging config controlled anywhere other than in
    >>/etc/syslog.conf?
    >
    > In PIX the logging configuration is controlled by what's in the local
    > configuration file.
    >
    >>4) if stuff's not in syslog or equiv, where is it and how can i grab it?
    >
    > The only stuff that isn't in the syslog is stored in a (pcap) file.  The
    > PIX can also capture traffic,  store it locally (so what you can capture
    > is
    > based on memory in your PIX), and then push that file over to a TFTP
    > server
    > for further analysis.
    >
    >>5) can you contribute sample data, with details of non-standard logging
    >>configs, for any of these events?
    >
    > Yes.
    >
    > Liberty for All,
    >
    > Brian
    >
    >
    > At 10:26 PM 10/21/2003 -0700, Tina Bird wrote:
    >
    >>so here's my list of events on a firewall i'd like to keep track of:
    >>
    >>Host OS messages as applicable
    >>Configuration changes
    >>Adds/deletes/changes of admin accounts
    >>Administrative traffic from .unexpected. locations (like the Internet)
    >>Connection logs (start/stop/amt of data)
    >>
    >>on FW-1, config changes from the GUI are stored in a text file called
    >>$FWDIR/logs/cpmgmt.aud -- which i can clearly grab and push to syslog.
    >>config changes from the command line are written to syslog directly.  new
    >>users with root privs are logged to syslog.  user deletes and changes are
    >>harder to track.  connection logs can be grabbed in a variety of ways and
    >>are easier to handle if i name them in obvious ways (and figure out a way
    >>to get the number-to-name mapping into the logs directly) (i don't know
    >> if
    >>it's possible to get fw-1 to log with rule names rather than numbers).
    >>
    >>questions to the list:
    >>
    >>1) what kinds of noteworthy firewall events have i missed?
    >>2) for the default logging config on <insert name of your fave firewall
    >>here), which of these events get logged?  which don't?
    >>3) is the logging config controlled anywhere other than in
    >>/etc/syslog.conf?
    >>4) if stuff's not in syslog or equiv, where is it and how can i grab it?
    >>5) can you contribute sample data, with details of non-standard logging
    >>configs, for any of these events?
    >
    >
    > Brian Ford
    > Consulting Engineer, Security & Integrity Specialist
    > Office of Strategic Technology Planning
    > Cisco Systems Inc.
    > http://www.cisco.com/go/safe/
    >
    > The opinions expressed in this message are those of the author and not
    > necessarily those of Cisco Systems, Inc.
    >
    >
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Oct 24 2003 - 16:43:32 PDT