Logging PIX and Kiwi SysLog

Syslog daemons are little programs that listen to syslog messages coming over the network over port 514UDP. When a message gets logged in the application, the daemon dumps it in a text file or a database for later use. Archiving and backuping your log is very important: they can be very useful to help you diagnostic a security problem or help with a legal one.

To get started, we need to enable logging in your firewall, to do this follow these steps:

1- Log into your firewall

2- Enter those commands:

firewallname> enable

[enter enable password]

firewallname# conf t

firewallname(config)# logging on

firewallname(config)# logging trap debugging

firewallname(config)# logging host inside [ip of your syslog server]

firewallname(config)# write mem


You may also need to configure your pix to send a timestamp along with each message if your syslog server doesn't generate one itself.

The command to generate a timestamp is: firewallname(config)# logging timestamp

In this case we won't need to do this because the application we are using, named KIWI syslog daemon, generates its own timestamp.

Many other network devices can also be configured to send syslog messages. For more details on enabling them for this purpose, please refer to your vendor's documentation.

At this point, the PIX will start sending all log messages over port UDP 514 to the IP you specified in the PIX configuration. "[logging host inside [ip of your syslog server]]". If you didn't install your syslog server yet, the messages will just disappear, with no harm done.

3- Install KIWI syslog server on your target machine. The application is free unless you need access to some extended functionalities.

4- Open the application, go in the file menu and click on setup.

5- In the left panel expand Rules->Default->Actions and check "Log to file".

6- In the right panel, replace the default path by the path of your choice, followed by the the log prefix, a separator (a space or a dash), and then click on "Insert AutoSplit value". Select date->ISO Date (yyyy-mm-dd) and end everything by ".log".

This will generate the path and file name automatically as shown in the example. Keep the log file format as "Kiwi format ISO yyyy-mm-dd (Tab delimited)".

7- Click apply.

At this point, if you already configured your pix logging functionalities, your log file should start filling up. Be sure that you save them on a disk that has ALOT of free space. I get about 70-80MB worth of data per day, growing each month as the activity on my firewall increases.

When all of this is done, you should enable archiving in your KIWI syslog server. This will compress and move your log files to a different location.

1- Open the application, go in the file menu and click on setup

2- Right click archiving-> add new archive schedule

3- In the new archive, select the archival frequency: daily, weekly, monthly

4- Write the source (location of your log file) and Destination folder (Location of your archived log files)

5- Matching file mask: Write the extension of your log file (*.log, *.txt, etc...)

6- Press "Archive now" to test the procedure.

Comments

Post a Comment

Popular posts from this blog

How to setup your Cisco Access Point to use WPA with Microsoft SBS 2003

802.11b (and 802.11a and 802.11g) are great. You loose the tether to your desktop. The problem is, how do you secure your network so that your users can still use your network without having to jump through hoops. WEP used to be the answer. WEP is insecure and dead. Cisco have an excellent security suite, but if you're a small company then the cost of investing in the additional components may be prohibitive. If this is your case then WPA (Wi-Fi Protected Access) is the solution for you. It has two modes it can be used in, pre-shared key mode and dynamic key mode.
Read more

Windows7 godmode

To use it: Create a new folder. Rename the folder to GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} (note that you can change the “GodMode” text, but the following period and code number are essential). The folder icon will change — double click it to show the GodMode window:
Read more

View log files in Ubuntu Linux

View log files in Ubuntu Linux Q. Can you explain me log files in Ubuntu Linux and how do I view logs? A. All logs are stored in /var/log directory under Ubuntu (and other Linux distro). Linux Log files and usage => /var/log/messages : General log messages => /var/log/boot : System boot log => /var/log/debug : Debugging log messages => /var/log/auth.log : User login and authentication logs => /var/log/daemon.log : Running services such as squid, ntpd and others log message to this file => /var/log/dmesg : Linux kernel ring buffer log => /var/log/dpkg.log : All binary package log includes package installation and other information => /var/log/faillog : User failed login log file => /var/log/kern.log : Kernel log file => /var/log/lpr.log : Printer log file => /var/log/mail.* : All mail server message log files => /var/log/mysql.* : MySQL server log file => /var/log/user.log : All userlevel logs => /var/log/xorg.0.log : X.org log file => /var/l
Read more