-
Pix Log question..
Hi, I am new to AO. I work as the Network Security Coordinator for a bank in philly. I am very new to security and have only been here 3 months. I will be taking on the repsonability of the firewall logs as of last week...Do you guys know of a utility that helps with reading the logs? right now we have webtrends but all i see is a bunch of pretty graphs...
Thanks, J
-
Do you have access to the firwall? If so I and many others will help you set up a syslog server to view raw data. If not you need to figure out how to do it in webtrends which I know dick about.
-
Quote:
Originally posted here by RoadClosed
Do you have access to the firwall? If so I and many others will help you set up a syslog server to view raw data. If not you need to figure out how to do it in webtrends which I know dick about.
I am supposed to have access, but the URL doesnt seem to be working...
https://(ip) but i just get page cannot be displyed. It works for my boss just fine. a java pop up comes up to log in.
-
Depending upon the size of your network, you may need a SIM product like Guardednet's NeuSecure SIM (I use this for my pix farm). Otherwise, you can grab something like kiwi-syslog service (free) and dump it on a windows box. From there you can use a number of freeware filtering tools to gleen the output you want. A quick and dirtly little app that I use once in a while is called LineStrip. http://www.lexacorp.com.pg You can quickly search through huge log files for a particular event then of course you can PERL the piss out of the output.
Anyway, check out the version of the JVM on your box and then look at the version your boss has. This might be the issue or there might be a wrapper on the web front end. Use the CLI to verify.
-
Also the PIX has controls on the HTTP server. It may be locked down via IP address. Make sure you are in there by accessing it on the boss' machine. You can also try telnet, it's 1000 times more useful anyway. The access controls on telnet and http are seperate. I did notice in the past on one box I have, the https connection didn't work right away - you have to connect via http then when the certificate loads it goes secure.
-
I like to run this free syslog daemon.
http://www.kiwisyslog.com/software_downloads.htm
Will run on most Windows based PCs.
Set your pix to log to this after you install it and get it running.
Your syslogs can easily be imported into Excel or similar spreadsheet for quick review.
If you need more info let me know.
-
I run a PIX 515 and I can't tell you how handy that web-based administration tool is. It's called the PDM (PIX Device Manager) and it does require that you configure the firewall to permit your IP to view it. Once in, you'll have all kinds of sources of information, including those pretty graphs, but a great deal of very meaningul data as well.
In the config you should some lines which look like this:
http server enable
http 66.79.125.86 255.255.255.255 outside
You'll need to include your workstation's IP here in order for you to view the PDM, which does use https: and Java.
Check out the docs for the 515's website online.
-
Do you really have your pix set to enable http control from outside? In this situation I would not suggest enabling control to outside users. He's just learning the pix and without advanced authentication the firwall could be vulnerable. At least in my thinking I would enable additional authenticaton or better. Sounds like in this case internal access is desired? Not saying external control is bad, just in this case I wouldn't do it. In fact i would never do it in my network but my needs dictate that.
So
http 55.55.555.55 255.255.255.255 inside
-
Yep -- I do in fact have access to one external address enabled on my PIX, but I should have modified the line to show an internal interface before posting it here.
In general I recommend closely reading the PIX IOS docs in order to configure the PDM. Although it requires authentication just like telnet access does, any time you're in a position to enable administrative access of any kind you're at risk of enabled admin access to the wrong audience. Or at least, to an audience which doesn't require it.
-
Quote:
Originally posted here by thehorse13
Depending upon the size of your network, you may need a SIM product like Guardednet's NeuSecure SIM (I use this for my pix farm). Otherwise, you can grab something like kiwi-syslog service (free) and dump it on a windows box. From there you can use a number of freeware filtering tools to gleen the output you want. A quick and dirtly little app that I use once in a while is called LineStrip. http://www.lexacorp.com.pg You can quickly search through huge log files for a particular event then of course you can PERL the piss out of the output.
Anyway, check out the version of the JVM on your box and then look at the version your boss has. This might be the issue or there might be a wrapper on the web front end. Use the CLI to verify.
Same version of Java...And I cant access the CLI at this point...i would have to console into the box and I am trying to keep my access quite..he doesnt want his boss to know too much about me taking it over yet... :rolleyes: