PIX firewall log analyser

Discussion in 'Cisco' started by Woon, Jan 10, 2004.

  1. Woon

    Woon Guest

    Hiya,

    I was wondering, can anyone recommend a product to analyse the log files
    from a Cisco PIX firewall? I've tried a few like Sawmill, but they do not
    have the functionalities that I'm looking for, i.e. to analyse the logs.
    Anyone who can share his experiences, you are most appreciated!

    thanks,
    woon
    Woon, Jan 10, 2004
    #1
    1. Advertising

  2. Woon

    Jason Kau Guest

    Woon <> wrote:
    > I was wondering, can anyone recommend a product to analyse the log files
    > from a Cisco PIX firewall? I've tried a few like Sawmill, but they do not
    > have the functionalities that I'm looking for, i.e. to analyse the logs.
    > Anyone who can share his experiences, you are most appreciated!


    FireGen is cheap but not very good, http://www.firegen.com/

    Private-I is the best I've used but is pretty expensive,
    http://www.opensystems.com/PI/

    There's some free ones but none are very full-featured.

    --
    Jason Kau
    http://www.cnd.gatech.edu/~jkau
    Jason Kau, Jan 10, 2004
    #2
    1. Advertising

  3. In article <bto714$s57$>,
    Jason Kau <> wrote:
    :Woon <> wrote:
    :> I was wondering, can anyone recommend a product to analyse the log files
    :> from a Cisco PIX firewall?

    :private-I is the best I've used but is pretty expensive,

    It isn't "issue-free" either. I've pretty much abandoned it.

    :There's some free ones but none are very full-featured.

    Sounds like my custom tools ;-)

    I've been working on some custom perl PIX analysis tools for a couple of
    years now, off and on. Currently in one of the "on" phases. It turns out
    to be a lot of work to do well (and quickly.) My advice to anyone
    considering building their own analysis tools is that unless your analysis
    needs are very simple, that Private-I, as expensive as it is, is probably
    going to turn out to be cheaper than the time you'll put in :(

    In my current rewrite efforts, I am making my tools more modular, and
    I'm working on speeding them up by using perl threads. Modular is going
    fairly well, but the perl threaded version is turning out to run very
    slowly. I have some ideas on how to speed that up that I will try out
    within a couple of days.
    --
    Is "meme" descriptive or perscriptive? Does the knowledge that
    memes exist not subtly encourage the creation of more memes?
    -- A Child's Garden Of Memes
    Walter Roberson, Jan 10, 2004
    #3
  4. Woon

    Woon Guest

    Thanks for both your inputs, Jason and Walter,

    I've actually considered writing up some scripts to do the analysis, but as
    you mentioned, the things that I'm looking to do would require some
    complicated scripts to work. Furthermore our organisation produce logs of up
    to 1Gb per day (we are a university ^_^).. one of our students actually
    wrote an analyser in C but it didn't work very well once the logs reached
    above 100Mb. We've actually tried NetIQ's Webtrends Firewall reporting tool,
    it looks quite nice, but somehow it doesn't seem to be in the market
    anymore. As expected, we needed a server with plenty of processing power and
    lots of RAM (>2Gb) to process the logs we have everyday.. I'm not quite sure
    what you mean by "issue license" Walter, can you elaborate on that? By face
    value PrivateI looks pretty neat. Firegen seems good and cheap as well, and
    certainly warrants a closer look (we're gonna try it out and see). It needs
    an external syslog tool to collect the logs right?

    thanks
    woon



    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bto80a$okr$...
    > In article <bto714$s57$>,
    > Jason Kau <> wrote:
    > :Woon <> wrote:
    > :> I was wondering, can anyone recommend a product to analyse the log

    files
    > :> from a Cisco PIX firewall?
    >
    > :private-I is the best I've used but is pretty expensive,
    >
    > It isn't "issue-free" either. I've pretty much abandoned it.
    >
    > :There's some free ones but none are very full-featured.
    >
    > Sounds like my custom tools ;-)
    >
    > I've been working on some custom perl PIX analysis tools for a couple of
    > years now, off and on. Currently in one of the "on" phases. It turns out
    > to be a lot of work to do well (and quickly.) My advice to anyone
    > considering building their own analysis tools is that unless your analysis
    > needs are very simple, that Private-I, as expensive as it is, is probably
    > going to turn out to be cheaper than the time you'll put in :(
    >
    > In my current rewrite efforts, I am making my tools more modular, and
    > I'm working on speeding them up by using perl threads. Modular is going
    > fairly well, but the perl threaded version is turning out to run very
    > slowly. I have some ideas on how to speed that up that I will try out
    > within a couple of days.
    > --
    > Is "meme" descriptive or perscriptive? Does the knowledge that
    > memes exist not subtly encourage the creation of more memes?
    > -- A Child's Garden Of Memes
    Woon, Jan 10, 2004
    #4
  5. In article <btoamv$9l4pd$-berlin.de>,
    Woon <> wrote:
    :I've actually considered writing up some scripts to do the analysis, but as
    :you mentioned, the things that I'm looking to do would require some
    :complicated scripts to work. Furthermore our organisation produce logs of up
    :to 1Gb per day (we are a university ^_^).. one of our students actually
    :wrote an analyser in C but it didn't work very well once the logs reached
    :above 100Mb.

    :As expected, we needed a server with plenty of processing power and
    :lots of RAM (>2Gb) to process the logs we have everyday.

    What kind of processing do you want to do?

    I seem to recall that my last accounting analysis script gave out
    about 500 Mb, but it's been ~18 months since I torture-tested it.
    I can't recall if I figured out what the limitation was. A quick test
    shows it getting about 9000 lines per second on a 250 MHz (SGI) machine.
    (Hmmmm, I only remember it averaging about 3000 lines per second in
    practice.) The slowest part of it is splitting the line up into fields!!


    : I'm not quite sure
    :what you mean by "issue license" Walter, can you elaborate on that?

    Ah, I didn't say "issue license", I said PI wasn't "issue-free".
    In other words, I had problems with it. It is probably somewhat
    improved since I last tried it, but since it wasn't really giving
    us the -kind- of analysis I wanted, and since it was noticably slower
    than my scripts [even though it was running on a faster machine], it
    has not been worth my time to go back and test newer versions.


    :By face
    :value PrivateI looks pretty neat.

    I suggest you pull down the demo version, and time how long it takes
    to import a day's worth of data for you. But first, start with timing
    how long it takes to import an hour's worth of data.


    :Firegen seems good and cheap as well, and
    :certainly warrants a closer look (we're gonna try it out and see). It needs
    :an external syslog tool to collect the logs right?

    I have not looked at Firegen.

    One thing about PI is that they have an impressively fast syslog
    data collector -- even some of their lower-end units should be able to
    record on the order of 1 megabyte per second of logs. You are averaging
    about 1 megabyte per minute, but probably peaking a lot higher than that.
    --
    I predict that you will not trust this prediction.
    Walter Roberson, Jan 10, 2004
    #5
  6. Woon

    dmcknigh Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<btofk2$s6g$>...
    > In article <btoamv$9l4pd$-berlin.de>,
    > Woon <> wrote:
    > :I've actually considered writing up some scripts to do the analysis, but as
    > :you mentioned, the things that I'm looking to do would require some
    > :complicated scripts to work. Furthermore our organisation produce logs of up
    > :to 1Gb per day (we are a university ^_^).. one of our students actually
    > :wrote an analyser in C but it didn't work very well once the logs reached
    > :above 100Mb.
    >
    > :As expected, we needed a server with plenty of processing power and
    > :lots of RAM (>2Gb) to process the logs we have everyday.
    >
    > What kind of processing do you want to do?
    >
    > I seem to recall that my last accounting analysis script gave out
    > about 500 Mb, but it's been ~18 months since I torture-tested it.
    > I can't recall if I figured out what the limitation was. A quick test
    > shows it getting about 9000 lines per second on a 250 MHz (SGI) machine.
    > (Hmmmm, I only remember it averaging about 3000 lines per second in
    > practice.) The slowest part of it is splitting the line up into fields!!
    >
    >
    > : I'm not quite sure
    > :what you mean by "issue license" Walter, can you elaborate on that?
    >
    > Ah, I didn't say "issue license", I said PI wasn't "issue-free".
    > In other words, I had problems with it. It is probably somewhat
    > improved since I last tried it, but since it wasn't really giving
    > us the -kind- of analysis I wanted, and since it was noticably slower
    > than my scripts [even though it was running on a faster machine], it
    > has not been worth my time to go back and test newer versions.
    >
    >
    > :By face
    > :value PrivateI looks pretty neat.
    >
    > I suggest you pull down the demo version, and time how long it takes
    > to import a day's worth of data for you. But first, start with timing
    > how long it takes to import an hour's worth of data.
    >
    >
    > :Firegen seems good and cheap as well, and
    > :certainly warrants a closer look (we're gonna try it out and see). It needs
    > :an external syslog tool to collect the logs right?
    >
    > I have not looked at Firegen.
    >
    > One thing about PI is that they have an impressively fast syslog
    > data collector -- even some of their lower-end units should be able to
    > record on the order of 1 megabyte per second of logs. You are averaging
    > about 1 megabyte per minute, but probably peaking a lot higher than that.


    I believe that the NetIQ firewall reporting product that you mentioned
    is now branded as NetIQ Security Reporting Center. It seems to work OK
    but needs a fast, low-latency DNS server to use while generating
    reports and I've found the support to be pretty spotty.
    Hope this helps,
    dmcknigh
    dmcknigh, Jan 12, 2004
    #6
  7. a offen overlook one, is RnRgen
    http://www.reportgen.com/index.htm

    together with kiwi syslog, is quit powerfull.
    though is much like sawmill.

    I have tested a LOT of syslog/reporting tools, and the best is Netforencics
    and Network Intelligence Engine (Former Private-I)
    But, costs a LOT aswell

    Most important is speed, both in application and server hardware - You need
    database-server class to meet this spec.
    and fast hdd i/o, as we are talking about UDP sysloging.


    HTH
    Martin Bilgrav

    "Woon" <> wrote in message
    news:bto6dv$9igaf$-berlin.de...
    > Hiya,
    >
    > I was wondering, can anyone recommend a product to analyse the log files
    > from a Cisco PIX firewall? I've tried a few like Sawmill, but they do not
    > have the functionalities that I'm looking for, i.e. to analyse the logs.
    > Anyone who can share his experiences, you are most appreciated!
    >
    > thanks,
    > woon
    >
    >
    Martin Bilgrav, Jan 12, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    942
    Simon Leinen
    Jan 16, 2006
  2. Louis

    Traffic analyser

    Louis, Oct 6, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    476
    Matt Probert
    Oct 6, 2003
  3. Louis A

    Any traffic analyser solution?

    Louis A, Oct 11, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    426
    Louis A
    Oct 11, 2003
  4. David

    Log Analyser

    David, Nov 17, 2003, in forum: NZ Computing
    Replies:
    10
    Views:
    728
    Pavel Grusha
    Nov 22, 2003
  5. Epsom, Surry

    web log analyser

    Epsom, Surry, Jul 16, 2005, in forum: NZ Computing
    Replies:
    6
    Views:
    530
    Telejob
    Jul 22, 2005
Loading...

Share This Page