Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX firewall log analyser

Reply
Thread Tools

PIX firewall log analyser

 
 
Woon
Guest
Posts: n/a
 
      01-10-2004
Hiya,

I was wondering, can anyone recommend a product to analyse the log files
from a Cisco PIX firewall? I've tried a few like Sawmill, but they do not
have the functionalities that I'm looking for, i.e. to analyse the logs.
Anyone who can share his experiences, you are most appreciated!

thanks,
woon


 
Reply With Quote
 
 
 
 
Jason Kau
Guest
Posts: n/a
 
      01-10-2004
Woon <(E-Mail Removed)> wrote:
> I was wondering, can anyone recommend a product to analyse the log files
> from a Cisco PIX firewall? I've tried a few like Sawmill, but they do not
> have the functionalities that I'm looking for, i.e. to analyse the logs.
> Anyone who can share his experiences, you are most appreciated!


FireGen is cheap but not very good, http://www.firegen.com/

Private-I is the best I've used but is pretty expensive,
http://www.opensystems.com/PI/

There's some free ones but none are very full-featured.

--
Jason Kau
http://www.cnd.gatech.edu/~jkau
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-10-2004
In article <bto714$s57$(E-Mail Removed)>,
Jason Kau <(E-Mail Removed)> wrote:
:Woon <(E-Mail Removed)> wrote:
:> I was wondering, can anyone recommend a product to analyse the log files
:> from a Cisco PIX firewall?

rivate-I is the best I've used but is pretty expensive,

It isn't "issue-free" either. I've pretty much abandoned it.

:There's some free ones but none are very full-featured.

Sounds like my custom tools

I've been working on some custom perl PIX analysis tools for a couple of
years now, off and on. Currently in one of the "on" phases. It turns out
to be a lot of work to do well (and quickly.) My advice to anyone
considering building their own analysis tools is that unless your analysis
needs are very simple, that Private-I, as expensive as it is, is probably
going to turn out to be cheaper than the time you'll put in

In my current rewrite efforts, I am making my tools more modular, and
I'm working on speeding them up by using perl threads. Modular is going
fairly well, but the perl threaded version is turning out to run very
slowly. I have some ideas on how to speed that up that I will try out
within a couple of days.
--
Is "meme" descriptive or perscriptive? Does the knowledge that
memes exist not subtly encourage the creation of more memes?
-- A Child's Garden Of Memes
 
Reply With Quote
 
Woon
Guest
Posts: n/a
 
      01-10-2004
Thanks for both your inputs, Jason and Walter,

I've actually considered writing up some scripts to do the analysis, but as
you mentioned, the things that I'm looking to do would require some
complicated scripts to work. Furthermore our organisation produce logs of up
to 1Gb per day (we are a university ^_^).. one of our students actually
wrote an analyser in C but it didn't work very well once the logs reached
above 100Mb. We've actually tried NetIQ's Webtrends Firewall reporting tool,
it looks quite nice, but somehow it doesn't seem to be in the market
anymore. As expected, we needed a server with plenty of processing power and
lots of RAM (>2Gb) to process the logs we have everyday.. I'm not quite sure
what you mean by "issue license" Walter, can you elaborate on that? By face
value PrivateI looks pretty neat. Firegen seems good and cheap as well, and
certainly warrants a closer look (we're gonna try it out and see). It needs
an external syslog tool to collect the logs right?

thanks
woon



"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:bto80a$okr$(E-Mail Removed)...
> In article <bto714$s57$(E-Mail Removed)>,
> Jason Kau <(E-Mail Removed)> wrote:
> :Woon <(E-Mail Removed)> wrote:
> :> I was wondering, can anyone recommend a product to analyse the log

files
> :> from a Cisco PIX firewall?
>
> rivate-I is the best I've used but is pretty expensive,
>
> It isn't "issue-free" either. I've pretty much abandoned it.
>
> :There's some free ones but none are very full-featured.
>
> Sounds like my custom tools
>
> I've been working on some custom perl PIX analysis tools for a couple of
> years now, off and on. Currently in one of the "on" phases. It turns out
> to be a lot of work to do well (and quickly.) My advice to anyone
> considering building their own analysis tools is that unless your analysis
> needs are very simple, that Private-I, as expensive as it is, is probably
> going to turn out to be cheaper than the time you'll put in
>
> In my current rewrite efforts, I am making my tools more modular, and
> I'm working on speeding them up by using perl threads. Modular is going
> fairly well, but the perl threaded version is turning out to run very
> slowly. I have some ideas on how to speed that up that I will try out
> within a couple of days.
> --
> Is "meme" descriptive or perscriptive? Does the knowledge that
> memes exist not subtly encourage the creation of more memes?
> -- A Child's Garden Of Memes



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-10-2004
In article <btoamv$9l4pd$(E-Mail Removed)-berlin.de>,
Woon <(E-Mail Removed)> wrote:
:I've actually considered writing up some scripts to do the analysis, but as
:you mentioned, the things that I'm looking to do would require some
:complicated scripts to work. Furthermore our organisation produce logs of up
:to 1Gb per day (we are a university ^_^).. one of our students actually
:wrote an analyser in C but it didn't work very well once the logs reached
:above 100Mb.

:As expected, we needed a server with plenty of processing power and
:lots of RAM (>2Gb) to process the logs we have everyday.

What kind of processing do you want to do?

I seem to recall that my last accounting analysis script gave out
about 500 Mb, but it's been ~18 months since I torture-tested it.
I can't recall if I figured out what the limitation was. A quick test
shows it getting about 9000 lines per second on a 250 MHz (SGI) machine.
(Hmmmm, I only remember it averaging about 3000 lines per second in
practice.) The slowest part of it is splitting the line up into fields!!


: I'm not quite sure
:what you mean by "issue license" Walter, can you elaborate on that?

Ah, I didn't say "issue license", I said PI wasn't "issue-free".
In other words, I had problems with it. It is probably somewhat
improved since I last tried it, but since it wasn't really giving
us the -kind- of analysis I wanted, and since it was noticably slower
than my scripts [even though it was running on a faster machine], it
has not been worth my time to go back and test newer versions.


:By face
:value PrivateI looks pretty neat.

I suggest you pull down the demo version, and time how long it takes
to import a day's worth of data for you. But first, start with timing
how long it takes to import an hour's worth of data.


:Firegen seems good and cheap as well, and
:certainly warrants a closer look (we're gonna try it out and see). It needs
:an external syslog tool to collect the logs right?

I have not looked at Firegen.

One thing about PI is that they have an impressively fast syslog
data collector -- even some of their lower-end units should be able to
record on the order of 1 megabyte per second of logs. You are averaging
about 1 megabyte per minute, but probably peaking a lot higher than that.
--
I predict that you will not trust this prediction.
 
Reply With Quote
 
dmcknigh
Guest
Posts: n/a
 
      01-12-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<btofk2$s6g$(E-Mail Removed)>...
> In article <btoamv$9l4pd$(E-Mail Removed)-berlin.de>,
> Woon <(E-Mail Removed)> wrote:
> :I've actually considered writing up some scripts to do the analysis, but as
> :you mentioned, the things that I'm looking to do would require some
> :complicated scripts to work. Furthermore our organisation produce logs of up
> :to 1Gb per day (we are a university ^_^).. one of our students actually
> :wrote an analyser in C but it didn't work very well once the logs reached
> :above 100Mb.
>
> :As expected, we needed a server with plenty of processing power and
> :lots of RAM (>2Gb) to process the logs we have everyday.
>
> What kind of processing do you want to do?
>
> I seem to recall that my last accounting analysis script gave out
> about 500 Mb, but it's been ~18 months since I torture-tested it.
> I can't recall if I figured out what the limitation was. A quick test
> shows it getting about 9000 lines per second on a 250 MHz (SGI) machine.
> (Hmmmm, I only remember it averaging about 3000 lines per second in
> practice.) The slowest part of it is splitting the line up into fields!!
>
>
> : I'm not quite sure
> :what you mean by "issue license" Walter, can you elaborate on that?
>
> Ah, I didn't say "issue license", I said PI wasn't "issue-free".
> In other words, I had problems with it. It is probably somewhat
> improved since I last tried it, but since it wasn't really giving
> us the -kind- of analysis I wanted, and since it was noticably slower
> than my scripts [even though it was running on a faster machine], it
> has not been worth my time to go back and test newer versions.
>
>
> :By face
> :value PrivateI looks pretty neat.
>
> I suggest you pull down the demo version, and time how long it takes
> to import a day's worth of data for you. But first, start with timing
> how long it takes to import an hour's worth of data.
>
>
> :Firegen seems good and cheap as well, and
> :certainly warrants a closer look (we're gonna try it out and see). It needs
> :an external syslog tool to collect the logs right?
>
> I have not looked at Firegen.
>
> One thing about PI is that they have an impressively fast syslog
> data collector -- even some of their lower-end units should be able to
> record on the order of 1 megabyte per second of logs. You are averaging
> about 1 megabyte per minute, but probably peaking a lot higher than that.


I believe that the NetIQ firewall reporting product that you mentioned
is now branded as NetIQ Security Reporting Center. It seems to work OK
but needs a fast, low-latency DNS server to use while generating
reports and I've found the support to be pretty spotty.
Hope this helps,
dmcknigh
 
Reply With Quote
 
Martin Bilgrav
Guest
Posts: n/a
 
      01-12-2004
a offen overlook one, is RnRgen
http://www.reportgen.com/index.htm

together with kiwi syslog, is quit powerfull.
though is much like sawmill.

I have tested a LOT of syslog/reporting tools, and the best is Netforencics
and Network Intelligence Engine (Former Private-I)
But, costs a LOT aswell

Most important is speed, both in application and server hardware - You need
database-server class to meet this spec.
and fast hdd i/o, as we are talking about UDP sysloging.


HTH
Martin Bilgrav

"Woon" <(E-Mail Removed)> wrote in message
news:bto6dv$9igaf$(E-Mail Removed)-berlin.de...
> Hiya,
>
> I was wondering, can anyone recommend a product to analyse the log files
> from a Cisco PIX firewall? I've tried a few like Sawmill, but they do not
> have the functionalities that I'm looking for, i.e. to analyse the logs.
> Anyone who can share his experiences, you are most appreciated!
>
> thanks,
> woon
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
log analyser for tomcat noemail12000@yahoo.com Java 2 08-08-2006 01:24 AM
web log analyser Epsom, Surry NZ Computing 6 07-22-2005 06:26 PM
program for webserver log analyser in c++ prabhu C++ 18 02-04-2004 04:36 AM
program for web server log analyser Rolf Magnus C++ 3 01-31-2004 10:45 PM
Log Analyser David NZ Computing 10 11-22-2003 03:11 AM



Advertisments