Reporting Firewall Conversations

majolley · by **majolley** » Wed Nov 08, 2006 6:39 pm

I'm looking for a way to parse the syslogs from my PIX firewall and show a report of conversations through the firewall. Something just as simple as source -> destination via destination port. Is there a function in logalot to provide this? The reports I'm seeing I'd need to generate policies for the report. Am I missing something? I'm just starting to use this tool so it's possible i'm just blind.

tomp · by **tomp** » Thu Nov 09, 2006 9:33 am

Does your PIX Firewall actually report this information in the syslog? What exactly are you trying to accomplish? Are you looking for your top talkers?

majolley · by **majolley** » Thu Nov 09, 2006 12:29 pm

We are porting to the syslog. Sorry if I wasn't explict enough. I'm looking for something like a "select distinct" report. We just put a firewall up between 2 networks with an allow all rulebase, so that we can see the traffic and build a baseline ruleset. I can go through the syslog and do "grep" to whittle down as I go, but that's rather painful.
So a report that would remove all reply packets, and all dupe entries for the conversations. Top talkers would be good to for future reference. For example, if I have 5 webservers talking with 3 different databases, I should have the rows showing an http entry for each client, but then just the rows showing each of the 5 webservers talking with each of the 3 database servers. This firewall gets pretty good traffic, so my syslog is over 100mb per day since we're logging all allowed and denied traffic to build the baseline.

tomp · by **tomp** » Thu Nov 09, 2006 3:15 pm

Under the report tab there is a star icon on the left just below the date selector. This will allow you to create a report for anything that is stored historically.

I believe this is the option you are looking for. However, the events need to be in the historical database, therefore you will need to create policies from your orphans to post to the bulletin board or store directly in history.

Best practices says you keep your orphan table empty.

I would start by creating a policy for information data, warnings, errors, etc...

Once all of your data is being stored in a historical table, versus the orphan table, you will be able to create a new report on any criteria you wish, not just policies.

HTH

majolley · by **majolley** » Wed Nov 15, 2006 5:51 pm

thanks for the info. I've done this no, however I'm wondering if there is a way to reformat the display.
What I'm getting is something like this:
Timestamp | Source of Syslog Address | Protocol | <long pix log entry>

What I want is something like this

Interface Name | Source IP | Source Port | Destination IP | Destination Port

So what it appears I'm getting from Logalot is a listing of the syslog verbatum. I'm looking for a way to also parse the syslog down to a nice readable table. I'm able to do this with fwlogwatch, and I'm wondering if logalot can be made to give a similar layout.