As long as folks are product dropping on this list, there is far more than WebTrends available to watch the Cisco PIX logs. You can use BMC PATROL for Cisco PIX Firewalls, NetIQ actually makes a complete logging solution as part of their Security Manager product that they had a press release on and I have no doubt that Tivoli and HPOV, if they don't already, will shortly have product offerings to do this. Last but not least, you always have CiscoWorks.
As for why Cisco (or any other company) doesn't do this (and many do, people just aren't willing to pay for it), it is simply because it is not their core competency. They leave it up to the ISV's to handle. As for running SNMP on a firewall, it depends. SNMP is a business application that has relevant needs in an enterprise. Like any other business application, if done correctly (i.e. tight security, specifying managers, using good communities) it can be invaluable. If done wrong, it can be very bad. It ultimately comes down to the skills of the admin. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com -----Original Message----- From: Clifford Thurber [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:27 To: Daniel Crichton; Matthew Carpenter Cc: [EMAIL PROTECTED] Subject: Re: PIX 515 I find it interesting that for a firewall as widely used as the PIX the reporting/logging is limited to one product - Webtrends. Is there are reason Cisco can not offer anything more than the eyesores you are forced to look at via a syslog server? The PIX logs are nasty things and some of the entries lower down(like the debug level) are in my opinion horribly documented. I think that running SNMP on a firewall is a big no no. I hope I am not alone in this opinion. At 04:15 PM 4/9/2002 +0100, Daniel Crichton wrote: >On 9 Apr 2002 at 9:55, Matthew Carpenter wrote: > > > We JUST put this sucker in, and I am interested in what types of > > monitoring logs it offers. Can I access them aside from the console? Or is > > it very similar to router maintenance? TIA > >Get yourself a syslog server set up, it's almost impossible to do anything >easily with the console. If you're using Windows for admin then get Kiwi >Syslog, it's great. > >Once you've got the logs you'll need something to parse them, and that's >when it becomes interesting. I've tried all sorts of reporting and never >really found one I've liked, nearest was WebTrends Firewall Suite. > >You'll need to play around with the syslog options to get the data you >need though - you can log everything from critical events (shutdown of >PIX) all the way to "debug" level (eg. URLs being accessed, names of files >transferred over FTP), but on a busy network the full logging can take up >a lot of space. Set the level you need on the PIX itself to reduce >traffic, but also look at setting options on the syslog server to filter >specific messages (eg. I have Kiwi logging all denied connections to a >second log file so I can parse that instead of the full one when looking >for simple intrusion attempts and port scans). > >You can also use SNMP to get other monitoring information - I use MRTG on >my PIX515 to get the number of concurrent connections and the incoming and >outgoing bandwidth usage to watch for potential bottlenecks. > >The PIX itself has some data that I don't think you get any other way >except via the console - for instance you can use "show conn" to output >the current list of active connections through the PIX. I might be tempted >to build a quick little VB app to allow me to get this data whenever I >need at the click of a button by passing the console commands instead of >me typing them, and produce reports just for quick snapshots, unless >someone out there knows of an easier way to get at this. > >Dan >--- >D.C. Crichton email: [EMAIL PROTECTED] >Senior Systems Analyst tel: +44 (0)121 706 6000 >Computer Manuals Ltd. fax: +44 (0)121 606 0477 > >Computer book info on the web: > http://computer-manuals.co.uk/ >Want to earn money? Join our affiliate network! > http://computer-manuals.co.uk/affiliate/ > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
