Re: [logs] Granular Analysis of PIX syslogs

From: Jeff Saxton (jeff.saxton@private)
Date: Thu Feb 10 2005 - 19:48:58 PST


1) identify which messages you are interested in, there are several
hundred so a script which granularly parses them all is a MAJOR
undertaking.

2) Get real familiar with perl and regular expressions ;)


>             Hi folks, I was directed here by a Mr. Tbird that maintains
> this list, below is a question I posed on another list.
>
>
>
>  I love the ability in the Checkpoint firewall logging
> applet that allows me to load up any former saved log file, and filter
> according to any criteria I set.
>
> Lets use an example:
>
> I want to show an auditor what exactly went through my firewall,
> to/from a specific DMZ host, between the hours of 1 and 3pm GMT, on July
> 8th, 2003.
>
> In checkpoint, if I had correctly configured my ruleset, and archived my
> log files properly, I could provide this answer within 30 minutes.
>
> Fast forward to my current company, which went with a Cisco PIX
> solution based on the up front cost.  I can log all the connections to
> my heart content, but boy mining the data to help show what happened in
> my above example has been tiresome at best.
>
> Can anyone here please suggest to me some type of logging and more
> relevantly, a granular lo analyzer that can help me achieve this end?
>
> Currently I am logging all my PIX traffic to a host running Kiwi
> syslog daemon, which archives each days logs into a separate folder in
> the dated logs directory, creating a new directory named for each date
> in the year.
>
> I am looking for a less clunky solution.
>
> Any help is GREATLY appreciated.
>
> Thanks!
>
>
>
>  Carey Heck
> (o) 609.520.8522 x209
> (c) 732.768.7133
>
> www.strasz.com
>
> This message including any attachments may contain confidential
> information intended for a specific individual and purpose, and is
> protected by law. If you are not the intended recipient, you should
> delete this message. Any disclosure, copying, or distribution of this
> message is strictly prohibited.
>
>



_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Fri Feb 11 2005 - 20:57:02 PST