Archiving and analyzing your Cisco PIX firewall logs: Part 1
Did you ever wonder about what was happening on on your firewall? What is going out? What is getting in? These are questions that all good system administrators should be asking themselves. It is your duty to know about these things after all. This guide will provide you the methods to let you archive and analyze your logs if you are using a Cisco PIX firewall. All respectable firewall manufacturers provide you the means to do it, this guide may even help you if you aren’t using a PIX.
Cisco firewalls are amongst the best security products on the market. Ranging from small plug and play security appliances for SMBs and homes (Pix 501, 506), to huge gigabit firewalls with superior protection for large enterprises (pix 515, 525, 535). Cisco PIX firewalls provide superior security, performance and reliability for environments of all sizes.
The first part of this article will guide your through the steps needed to turn on logging, and send it over to a syslog server.
Syslog daemons are little programs that listen to syslog messages coming over the network over port 514UDP. When a message gets logged in the application, the daemon dumps it in a text file or a database for later use. Archiving and backuping your log is very important: they can be very useful to help you diagnostic a security problem or help with a legal one.
To get started, we need to enable logging in your firewall, to do this follow these steps:
1- Log into your firewall
2- Enter those commands:
[enter enable password]
firewallname# conf t
firewallname(config)# logging on
firewallname(config)# logging trap debugging
firewallname(config)# logging host inside [ip of your syslog server]
firewallname(config)# write mem
You may also need to configure your pix to send a timestamp along with each message if your syslog server doesn’t generate one itself.
The command to generate a timestamp is: firewallname(config)# logging timestamp
In this case we won’t need to do this because the application we are using, named KIWI syslog daemon, generates its own timestamp.
Many other network devices can also be configured to send syslog messages. For more details on enabling them for this purpose, please refer to your vendor's documentation.
At this point, the PIX will start sending all log messages over port UDP 514 to the IP you specified in the PIX configuration. “[logging host inside [ip of your syslog server]]”. If you didn't install your syslog server yet, the messages will just disappear, with no harm done.
3- Install KIWI syslog server on your target machine. The application is free unless you need access to some extended functionalities.
4- Open the application, go in the file menu and click on setup.
5- In the left panel expand Rules->Default->Actions and check "Log to file".
6- In the right panel, replace the default path by the path of your choice, followed by the the log prefix, a separator (a space or a dash), and then click on "Insert AutoSplit value". Select date->ISO Date (yyyy-mm-dd) and end everything by ".log".
This will generate the path and file name automatically as shown in the example. Keep the log file format as "Kiwi format ISO yyyy-mm-dd (Tab delimited)".
7- Click apply.
At this point, if you already configured your pix logging functionalities, your log file should start filling up. Be sure that you save them on a disk that has ALOT of free space. I get about 70-80MB worth of data per day, growing each month as the activity on my firewall increases.
When all of this is done, you should enable archiving in your KIWI syslog server. This will compress and move your log files to a different location.
1- Open the application, go in the file menu and click on setup
2- Right click archiving-> add new archive schedule
3- In the new archive, select the archival frequency: daily, weekly, monthly
4- Write the source (location of your log file) and Destination folder (Location of your archived log files)
5- Matching file mask: Write the extension of your log file (*.log, *.txt, etc...)
6- Press "Archive now" to test the procedure.
In the second part of this article, I will show you the best way to analyze those logs using assorted log analyzers.
If you liked this article, you might also consider checking some of my other ones: