RE: Syslog montioring and usage.

["Melson, Paul" <PMelson () sequoianet com>]

Cisco publishes the definitions of all of the syslog messages that can
be generated by a PIX firewall:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63
syslog/index.htm

As far as the 'IDS' syslog messages that it generates, keep in mind that
the PIX is only capable of "atomic" checks, meaning that it only alerts
on the behavior of a single packet.  Aside from some older DoS attacks
and certain types of stealth port scans, the PIX is useless as an IDS.

PaulM

PS - If you want to see everything the PIX can to the syslog server,
make sure 'logging console debugging' is set in the config.  Of course,
on a busy firewall, this can lead to ~300MB/day in log files, so it may
only be useful for a short period of time or when used in conjunction
with automated log analysis software.


> -----Original Message-----
> I am trying to learn the ins and outs of using Syslog.  I am 
> at my second job where I have installed and configure another 
> Pix, but have never really got into Syslog.  I am currently 
> using KIWI syslog daemon. I would like to better find out 
> what the messages mean, and how to track down port scans, and 
> other security related issues that syslog may reveal. To sum 
> it up I want to be able to have a good understanding of a log 
> file that comes form a Pix. 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards