Log Types: PIXLog
Overview
The PIX or ASA firewall generates a range of events, generally grouped into either:
Packet accept/deny information
General administrative or security information messages (eg: Interface up / down, administrator login, configuration changes)
The log format for a PIX/ASA firewall is designed to be generally human-readable, and is therefore not simple or consistent to parse by a computer.
Collection
PIX firewalls can send log data to the Snare Central server via syslog.
Sample Events
10.0.0.1,PIXLog,0,2003-09-10,16:33:47,Aug 1 12:37:36: %PIX-3-106010: Deny inbound tcp src outside:131.107.112.124/3383 dst inside:12.13.14.15/80
Nov 13 21:03:58 216.53.7.105 Nov 13 2002 19:14:50: %PIX-2-106006: Deny inbound UDP from 66.33.155.102/34736 to 192.168.169.42/6613 on interface outside
Nov 13 21:03:58 216.53.126.250 %PIX-2-106001: ....
<163>Nov 13 2003 21:03:58: %PIX-2-106006: Deny inbound UDP from 66.33.155.102/34736 to 192.168.169.42/6613 on interface outside
<163>Dec 07 2004 15:33:44: %FWSM-6-302001: Built outbound TCP connection 1 for faddr 209.67.27.16/80 gaddr 199.191.74.20/63785 laddr 199.191.104.162/1511
<164>Original Address=10.0.0.1 Nov 13 2003 21:03:58: %PIX-2-106023: Deny udp src outside:66.33.155.102/34736 dst ABC:ABCDOM01/123 (type 3, code 4) by access-group "outside" $server="Unknown"
<164>Aug 1 12:37:36: %PIX-3-106010: Deny inbound tcp src outside:131.107.112.124/3383 dst inside:12.13.14.15/80
<180>%PIX-4-106023: Deny udp src outside:192.168.0.254/6910 dst inside:192.168. 173.225/3005 by access-group "gcs_acl".
<162>Mar 13 10:27:11 EDT: %ASA-session-2-106100: access-list apps.cbmsr_access_in denied tcp apps.cbmsr/10.1.2.24(60160) -> apps_CBMSR_out/162.3.4.210(80) hit-cnt 2 300-second interval [0x5fef5c7a, 0x0]
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | PIXLog |
CRITICALITY | Criticality defined in the pix event group (eg: PIX-12-123456) |
EVENTID | EventID defined in the pix event group (eg: PIX-12-123456) |
ACTION | Action, such as Denied, PS-3-MULTFAIL |
PROTO | Protocol |
SRCADDR | Source IP address |
SRCPORT | Source port |
DSTADDR | Destination address |
DSTPORT | Destination port |
STRING | Other fields in key=value format |
Notes
-