We recently purchased a piece of software that is going to inspect our syslog log files and alert us based on specific queries. The software however was not written to read Cisco syslog specifically so we have to define pretty tightly what we want to alert on. I have been reviewing the documentation regarding the ASA/PIX syslog format and it seems helpful except there are so many damn messages and message types.
Does anyone have any suggestions regarding what things to specifically look for in the logs. I know this is a very vague question and I know a lot of it is based on the position and functionality of our ASAs, but what I am really more looking for perhaps are some guidelines or perhaps a sample of what others are doing. Perhaps there is some documentation other than the massive list of all messages that might lend some guidance?
The problem in theory of course is that I can look through our current logs and identify items to be alerted against, but how does one anticipate what is going to be in the logs when an actual security attack/emergency occurs.
Any help is greatly appreciated.