pix log question

In article , LWG wrote: :How can I scan the log for a certain IP address? This is my first time :running a pix and the logging is tough.

PIX can log to memory, but it does not save very many entries at at time... a few hundred at most. If the entry you are looking for happens to be in the log buffer and you have a new enough PIX version, then you can do, e.g.,

show log | grep 192.168.1.123

Beyond that you will have to have the PIX log via syslog (normally udp port 514) to a computer system, at which point it becomes a matter of how that particular computer system allows you to search logs. If you are logging via a traditional syslogd that writes to a file, you can use, e.g.,

grep 192.168.1.123 /var/logs/pixlog

where /var/logs/pixlog is the name of the file your syslogd is writing to. [If you are using one of the Windows syslog daemons, then... urrr, Microsoft probably has an add-on package they can sell you to search whatever prioprietary file format is used.]

There are a couple of tricks you should know about searching the PIX logs:

- Messages about traffic permitted, or about translations built or torn down, always use the numeric address

- If you have used the PIX 'name' command to establish a readable name for an IP address, then the PIX will use the name (not the numeric IP address) in any message about traffic denied [that I can think of at the moment.]

- Messages about VPNs can be a bit of a mix, -mostly- using names when available, but sometimes using IP addresses even when a name exists

Thus if you have used 'name' for an IP address and you are looking for information about that IP address, and you want all kinds of messages about it, then you should search for both the name and the IP address.

If you are using a Unix variant to do the logging to a file, the easiest way to search for both variations is to probably to use 'egrep'. For example, if you have used

name 192.168.1.123 MyServer

and the logging is to (e.g.,) /var/logs/pixlog then you would search via

egrep 'MyServer|192.168.1.123' /var/logs/pixlog

I will not get into advanced egrep features here.

Logging can be tough at first, use it as a tool and it can be fun, useful and make you look real good.

If you have some sort of *nix box available you should use it. If you don't have one available you should consider getting one. ;) If you don't feel this is feasible check out "Cat Tools" from Kiwi:

Just to add onto what Walter pointed out, a good log repository is very important so you can go find out what happened at specific times or day's.

If you are looking for real time log monitoring you can actually watch the log real time with "tail -f /path/to/pix.log", and if you feel like the log should let you know when something happens you can use something like swatch (available on sourceforge) to send you an email when something specific happens. Very useful when your office call's you to let you know somethings down and you can let them know that are already working on it!

Make your log's work for you. Depending on your network and comfort level, this can take anywhere from a couple of hours to several weeks to get worked out but once they are set up correctly they will be there when you need them.

-- Laugh at your problems; everybody else does.

LWG wrote:

In article , Wil Schultz wrote: :and if you feel like :the log should let you know when something happens you can use something :like swatch (available on sourceforge) to send you an email when :something specific happens. Very useful when your office call's you to :let you know somethings down and you can let them know that are already :working on it!

They let you -leave- your office??

Ha, only with a blackberry, laptop and PCS wireless card...

-- Laugh at your problems; everybody else does.

Walter Robers> > :and if you feel like