The PIX Logging Architecture [PLA] provides a centralized method for correlating and displaying logs generated by Cisco PIX Firewalls. Cisco PIX supports logging to a syslog host. PLA uses this feature in order to parse these logs, based on their type (traffic, ids or informational) and then push them into a MySQL database. A web-based frontend queriesthe MySQL database for the entries and then displays them according to the various options available in the PLA web-based frontend.

PIX Logging Architecture v2.00 is the second release of PLA, being released about 3 years after the original release, many changes and improvements have been made to the original code and many new features have been introduced in order to make PLA more suitable for different infrastructures. For those who were familiar with PLA v1.01, you'll get a whole realm of new features with this release whilst still maintaining the same look and feel. However, I've come along way with this project since 2003 so you'll find that some things have been changed since the original PLA v1.01 release. Amongst the major changes you'll find the following:

• Log Parsing is done using a Perl-written daemon (no longer need to stop/start syslogd)
• Log Message Parsing criteria are no longer defined in parsing scripts but stored within a table in the PLA database called "syslog_message"
• Informational messages (i.e. PPPoE establishment, SSH/PDM logins, etc..) can now also be logged.
• PLA Database has been modified. More fields are now logged (i.e. xlate[translations])
• PLA web based front end has seen the "statistics" section removed and replaced with a configuration section which allows you to set up traffic filters, traffic descriptions, user-defined search queries, parse filtering, database log purging and others. All these features are described in the features section and surely you'll explore and find out as you start using PIX Logging Architecture. Moreover, the addition of the Security Dashboard as well as the graphing features, log paging and log sorting greatly enhance the analysis capabilities and efficiency of PIX Logging Architecture v2.00.

The main purpose of PIX Logging Architecture is to provide a framework for treating, correlating and consulting logs of different devices.

I've done successful PLA testing with the following components:

• Cisco PIX OS 6.x
• Cisco PIX OS 7.x
• Cisco (FWSM) FireWall Services Module 2.x
• Cisco (FWSM) FireWall Services Module 3.1(3)

• Parsing of Cisco FWSM and PIX OS logs from the syslog files into the PLA database.
• System Log message criteria used for parsing are stored in a table in the PLA database.
• Parse filters can be defined using the web-based front end for traffic which should not be logged in the database.
• Database entries can be purged based on certain criteria using the log purging option in the web-based front end.

• Web based front-end allows viewing of Traffic, IDS and Informational Logs.
• Display details on Traffic, IDS and Informational logs and allow cross-searching in the database for similar logs as well as graphic statistical analysis providing matches across the last 24 hours, last 7 days, last 30 days and last 12 months.
• The Security Dashboard features provides a clear overview of 24-hour traffic patterns and top anomalies and traffic.
• Whois and DNS lookup of logged traffic.
• PLA database can be searched based on various criteria for Traffic, IDS and informational logs.
• User-defined queries can be created to define saved search criteria.
• Traffic Display Filters can be created to filter out pre-defined traffic while displaying and searching traffic logs.
• Traffic Descriptions can be created to identify traffic based on certain values.
• Parse filters can be created to prevent certain traffic from being logged into the PLA database.
• Log purging ensures that the database doesn't get too big.
• On-the-fly Queries, Display Filters, Parse Filters and Traffic descriptions can be created from a log entry.
• Paging and sorting across all log display and search pages allows for a more efficient method of analyzing logged data.

As previously mentioned, the PLA Infrastructure parses logs sent by a Cisco PIX Firewall, and then pushes them to a MySQL database. The parsing is done on the system defined as the syslog host for the Cisco PIX Firewall, the parsing script then uses the Perl DBI module to enter the logging information into the MySQL database.

Two deployment infrastructures can be considered:

• Centralized Deployment: all PLA components are located on the same system.
• Distributed Deployment: various PLA components are located on different systems.

When using the PLA Centralized Deployment option, all PLA components are located on the same systems. This deployment could be used for various reasons, such as shortage of machines, centralized management policy. The following components are centralized on a single component:

• syslog (with remote log reception activated)
• MySQL database (with PLA database installed)
• Apache Web Server
• PLA Parsing Script
• PLA Web-based Frontend

       +---+   syslog    +------------------------+
       |PIX| ----------> | PLA Centralized System |
       +---+             +------------------------+
                         | (1) Parse Syslog       |
                         | (2) Populate Database  |
                         | (3) Provide Web-based  |
                         |     frontend           |
                         +------------------------+
       

When using the PLA Distributed Deployment option, each PLA component or a group of PLA components are located on various systems.

The PLA Distributed Deployment architecture looks as follows:

       +---+   syslog    +------------------------+               +------------------------+
       |PIX| ----------> | PLA Distributed System |               | PLA Distributed System |
       +---+             | Logging Host           |               | DB + Web Frontend      |
                         +------------------------+  Perl::DBI    +------------------------+
                         | (1) Parse Syslog       | ----------->  | (2) Populate Database  |
                         +------------------------+               | (3) Provide Web-based  |
                                                                  |     frontend           |
                                                                  +------------------------+
        

As for traffic requirements, depending on your deployment strategy, certain openings may need to be made to your firewall rules to allow traffic between the various PLA components. The following traffic patterns exist:

Status	Source	Destination	Protocol/Service	Description
(Mandatory)	PIX Firewall	PLA Logging Host	Syslog (UDP/514)	PIX Syslog to Log Parser
(Mandatory)	PLA Logging Host	PLA Database Host	MySQL (TCP/3306)	PIX Log Entries into Database
(Mandatory)	PLA Web Front End	PLA Database Host	MySQL (TCP/3306)	PIX Log Queries from Database
(Optional)	PLA Web Front End	DNS Server	DNS (UDP/53)	DNS Name Lookups
(Optional)	PLA Web Front End	ANY	Whois (TCP/43)	Whois Lookups
(Mandatory)	PLA Clients (Browsers)	PLA Web Frontend	HTTP (TCP/80) or HTTPS(TCP/443)	PLA Web Based Front End Access

The PLA Infrastructure requires certain components to be installed in order to function properly. The following components must be installed:

• Syslogd
• Perl (version >= 5.6.0)
  --> Perl is used to run the scripts associated with PLA.
• Perl Modules
  --> Perl::DBI (version >= 1.20)
  --> Perl::CGI (version >= 1.19)
  --> DBD::Mysql (version >= 3.0008)
  --> Net::Whois::IP (version >= 0.50)
  --> Date::Manip (version >= 5.44)
  --> File::Tail (version >= 0.99.3)
  --> GD::Graph (version >= 1.4308)
  --> Socket (This should be standard in Perl)
  --> POSIX (This should be standard in Perl)
• MySQL Database Server (version >= 3.23.42)
• Apache Web Server

If you're opting for the distributed installation, it's important to know which components need to be installed where:

Logging Host:

• Syslogd
• Perl
• Perl Modules
  --> Perl::DBI
  --> DBD::Mysql
  --> File::Tail
  --> Socket (This should be standard in Perl)
  --> POSIX (This should be standard in Perl)

• MySQL Database Server

• Apache Web Server
• Perl
• Perl Modules
  --> Perl::DBI
  --> DBD::Mysql
  --> Perl::CGI
  --> Net::Whois::IP
  --> Date::Manip
  --> GD::Graph

The parsing script is located in the "scripts/parsing/" directory of the PLA Software Package (the "tar.gz" file). This script must be installed on the system which received the system logs (syslog) and is used to identify which log entries should be pushed to the database, this script requires both Perl and Perl::DBI. Personally, I've put this script in an "/usr/sbin" directory.

1. Connect to the Database and extract the syslog_message table (for identifying parsing criteria)
2. Connect to the Database and extract the parse_filter table (for identifying parsing filters)
3. Start reading the syslog messages file to which the PIX/FWSM logs are logged.
4. Match incoming message with syslog_message table extract and determine if a match exists.
5. If a match exists, check whether the traffic matches a parse filter and if not, log the data to the PLA database.
6. If no match exists, determine whether to log the data to a flat temporary undefined traffic file.

The web-based frontend is a collection of Perl/CGI scripts located in the "scripts/frontend/" directory of the PLA software package. These scripts query the MySQL database for information and entries pertaining to the Cisco PIX/FWSM logs. These scripts should be copied to a scripts executable directory on your web server. For example the "/cgi-bin/" directory on many web servers. In the configuration section of this document I've explained how to configure a directory to be script executable within Apache. For example, on my web server I've created a "pla2" directory in the main Apache HTML documents directory (DirectoryRoot - "/usr/local/apache2/htdocs") and set this to scripts executable.

Please refer to the "Configuring Apache" section for more information on how to configure Apache and the Executable Scripts directories.

If you're upgrading to PIX Logging Architecture v2.00 from PIX Logging Architecture v2.00 Beta 1, the transition is quite smooth and will only involve a few minutes work.

Because PIX Logging Architecture v2.00 has introduced the Security Dashboard and statistics graphs (which was not available in Beta 1), the Perl Module "GD::Graph" will need to be installed. Chances are that the installation will also require you to install libgd if it's not installed by default on the system.

Upgrading from PIX Logging Architecture v2.00 Beta 1 to PIX Logging Architecture v2.00 involves:

Download the PIX Logging Architecture v2.00 package at http://www.logging-architecture.net/pla2/release/.

You'll need this to properly run the PLA Security Dashboard and graphing features.

In order to stay current with the latest log messages, it is recommended you obtain the latest version of the syslog_message table from the http://www.logging-architecture.net/pla2/release/supportedmessages.html.

This file can easily be imported into the PLA database using the following method (please note that this will scratch the current syslog message parsing table so if you created your own entries be sure to back these up beforehand and create them later!):



root@mysql-host# mysql < syslog_message-YYYYMMDD.sql.txt

Many important changes have been made to the PLA Web Based Front-End, including new pages which have been introduced. Therefore you'll have to copy across all files and subdirectories in the "scripts/frontend" directory of the PIX Logging Architecture v2.00 Package to the directory where your current PLA Web Based Front-End resides.



root@pla_frontend_host# cp -R <PLA_PACKAGE_DIRECTORY>/scripts/frontend/* <PLA_Web_FrontEnd_Directory>



Note: Don't forget to configure the PLA v2.00 "conf.pl" file in the PLA Web Based Front-End directory with the same settings as you were using with PLA v2.00 Beta 1.

Copy the PLA Parsing Daemon (pla_parsed) v2.00 to the /usr/sbin directory as follows:



root@pix_parse_host# cp <PLA_PACKAGE_DIRECTORY>/scripts/parsing/pla_parsed /usr/sbin



Note: Don't forget to configure the PLA v2.00 Parsing Daemon (pla_parsed) with the same settings as you were using with PLA v2.00 Beta 1.

Since MySQL (the database) is the principal component empowering the PLA infrastructure, it needs to be configured properly.

First of all, the PIX logging database needs to be created. A template for this database is located in the "scripts/" directory of the PLA Package and is called pla_database.sql. This file can easily be imported into the MySQL database as follows:

The syslog host will receive the alerts sent by the Cisco PIX/FWSM Firewall(s).

First of all, the syslog daemon will need to be configured to listen for syslog messages from other hosts, in our case the Cisco PIX Firewall(s) on port 514/udp, this can be done by starting the syslogd in the following manner: "syslogd -m 0 -r" -> the "-r" option specified remote listening.

Secondly, Syslog will need to be configured to redirect system log messages received from the Cisco PIX Firewall(s) to a separate file (I'm using "/var/log/<firewall-name>.log").

In order to do this you'll have to reconfigure syslogd by adding the following line to /etc/syslog.conf:

In order to get a Cisco PIX Firewall to be compatible with the PIX Logging Architecture, several configuration statements will have to be added on the Cisco PIX Firewall:

5.3.1 Configuring System Logging

The following commands should be used to set up system logging on the Cisco PIX Firewall:

• If there are certain messages which you don't want to log, you can exclude them using the "no logging message <msg_id>" command.

• The above configuration enables PIX firewall to match IDS signatures and perform a drop action on them. In the above configuration, the interface is named "outside"; In your infrastructure, this interface may have another name.
• It may be a good idea to synchronize the time on the Cisco PIX/FWSM using NTP.
• Verify that your Cisco PIX/FWSM is correctly logging to your syslog server by checking the syslog's server's log messages file (i.e. "tail -f /var/log/<firewall-name>.log" considering you've used the same nomenclature as the one described in the syslog configuration of this document).

The Apache web server is used to house the scripts which power the PLA web-based front end. Whether you run Apache 1.x, 2.0.x or 2.2.x is your choice, however you may have to make some changes to the configuration in order to allow the scripts to correctly execute (in other words, the Apache needs to know that these scripts are executable and should thus show you the output of the scripts rather than the scripts code itself).

If you're not very accustomed to the Apache web server, I suggest you install the PLA web-based frontend in the main Apache HTML documents directory which is usually located at the "<APACHE_INSTALL_PATH>/htdocs" directory. So you'll have to ensure all the contents of the PLA web based frontend "scripts/frontend/" (in the PLA package, including the "images" and "stats" subdirectories) is copied over to the Apache htdocs part. For the purpose of example we will create a "pla2" directory in the Apache default HTML documents directory (which we assume is located at "/usr/local/apache2/htdocs"):

The PLA Parsing Daemon (pla_parsed) script, located on the syslog host, will need to be configured with several parameters before PLA can work correctly.

5.5.1 Configure Required Variables

Several variables will need to be configured in the "pla_parsed" (PLA Parsing Daemon - /usr/sbin/pla_parsed) script:

First of all, make sure the scripts in the "scripts/frontend/" directory of the PLA Package are copied to a directory configured to execute Perl/CGI scripts. This is the same directory you defined when configuring Apache.

Secondly, several variables need to be configured to allow the frontend to connect to the MySQL database. These variables can be found in the "conf.pl", which is also located within this directory:

The PIX Logging Architecture web based front-end can be reached by typing in the URL as defined on the web server with the "pix_traffic_logs" extension. So consider the application is installed on the 127.0.0.1 IP address in the pla2 directory then the browser needs to point to:

http://127.0.0.1/pla2/pix_traffic_logs

Using this URL, PIX Logging Architecture will open the main traffic logs page which display a resume of the PIX traffic logged events.

PIX Logging Architecture consists of a hierachical structure of menus allowing for easy navigation, use and configuration of the PLA web-based front-end. The following structure is used for the web-based front-end:

+--+ Security Dasbhoard (main menu)
|      +--- Drops and Accepts Statistics
|      +--- Protocol Redistribution Statistics
|      +--- Cumulative Logged Traffic Statistics
|
+--+ PIX Traffic Logs (main menu)
|      +--- PIX Traffic Log Details
|
+--+ PIX IDS Logs (main menu)
|      +--- PIX IDS Log Details
|
+--+ PIX Informational Logs (main menu)
|
+--+ PIX Search Logs (main menu)
|      +--- PIX Search Traffic Logs (sub menu)
|      +--- PIX Search IDS Logs (sub menu)
|      +--- PIX Search Informational Logs (sub menu)
|
+--+ PIX Traffic Queries (main menu)
|
+--+ PLA Configuration (main menu)
|      +--+ PIX Traffic Log Configuration (sub menu)
|              +--- Display Filter Configuration (sub menu choice)
|              +--- Description Configuration (sub menu choice)
|              +--- Traffic/User-defined Query Configuration (sub menu choice)
|      +--+ PIX IDS Logs Configuration (sub menu)
|              +--- Display Filter Configuration (not active yet)
|      +--+ PLA Global Configuration (sub menu)
|              +--- Objects Configuration (not active yet)
|              +--- Log Message Parsing Configuration (not active yet)
|              +--- Incident Management (sub menu choice)
|              +--- Log Purging Configuration (sub menu choice)
|              +--- Parse Filter Configuration (sub menu choice)
|
+--+ PLA About (main menu)

Menu Item: (Main Menu) > "Security Dasbboard"

6.3-1: Main Menu View

PLA Security Dashboard is a new feature which has been added to PIX Logging Architecture v2.00 after Beta 1 was released. The purpose of the security dashboard is to get a summarized overview of the situation based on the logged events for a specific date. The PLA Security Dashboard main page consists of two main views; the left side with listed statistics and the right side with graphed statistics. The following are the details for each of these views:

List View (Left Side):

• List of Top 5 Dropped Sources
• List of Top 5 Dropped Destinations
• List of Top 5 Dropped Services
• List of Top 5 Accepted Sources
• List of Top 5 Accepted Destinations
• List of Top 5 Accepted Services

• 24-hour Time Period Graph of Drops and Accepts (1 hour interval)
• 24-hour Time Period Graph of Protocol Redistribution [TCP,UDP,ICMP] (1 hour interval)
• 24-hour Time Period Graph of Cumulative Traffic for a Specific Firewall (1 hour interval)

The main functionality of PIX Logging Architecture is to allow logs to be parsed, correlated and available for viewing. PLA currently distinguishes between 3 types of logs; PIX Traffic Logs, PIX IDS Logs and PIX Informational Logs. Each of these logs has a dedicated log viewing page which allows the logged data to be consulted.


6.4.1 PIX Traffic Logs Viewing

Menu Item: (Main Menu) > "Traffic Logs"

6.4.1-1: Main Menu View


The PIX Traffic Logs view is used to display the PIX Traffic Logs. The general view shows the following columns in a list format:

• Time
• Logging Resource (Firewall)
• Log Action
• Log Protocol
• Source IP
• Source Port
• Destination IP
• Destination Port
• Log Flags

• Log Time (Ascending)
• Log Time (Descending)
• Logging Resource (Ascending)
• Logging Resource (Descending)
• Log Action (Ascending)
• Log Action (Descending)
• Log Protocol (Ascending)
• Log Protocol (Descending)
• Source IP (Ascending)
• Source IP (Descending)
• Source Port (Ascending)
• Source Port (Descending)
• Destination IP (Ascending)
• Destination IP (Descending)
• Destination Port (Ascending)
• Destination Port (Descending)

• Source IP Address
• Source Port
• Destination IP Address
• Destination Port
• Translated Source IP Address
• Translated Source Port
• Translated Destination IP Address
• Translated Destination Port

• Time
• Logging Resource (Firewall)
• Log Protocol
• Source IP
• Destination IP
• IDS Signature

• Log Time (Ascending)
• Log Time (Descending)
• Logging Resource (Ascending)
• Logging Resource (Descending)
• Log Protocol (Ascending)
• Log Protocol (Descending)
• Source IP (Ascending)
• Source IP (Descending)
• Destination IP (Ascending)
• Destination IP (Descending)
• IDS Signature (Ascending)
• IDS Signature (Descending)

• Time
• Logging Resource (Firewall)
• Log Message
• Log Description

• Log Time (Ascending)
• Log Time (Descending)
• Logging Resource (Ascending)
• Logging Resource (Descending)
• Log Protocol (Ascending)
• Log Protocol (Descending)
• Log Message (Ascending)
• Log Message (Descending)
• Log Description (Ascending)
• Log Description (Descending)

Besides showing a general view of the logs, it is also possible to carry out specific and granular searches against the database for entries which match the search criteria. PIX Logging Architecture v2.00 allows searching of PIX Traffic, IDS and Informational logs.

6.5.1 PIX Traffic Logs Search

Menu Item: (Main Menu) > "Search"
Menu Item: (Sub Menu) > "Traffic Logs"


6.5.1-1: Main Menu View


PIX Traffic Logs can be searched based on a set of defined criteria. Within these searches a number of wildcards can be used with the "%" (percentage) character, which is the default SQL wildcard.

The following lists all the fields which are allowed as search input:

• Logging Resource
• Traffic Action
• Log Message
• Source IP [wildcard allowed!]
• Source Port [wildcard allowed!]
• Destination IP [wildcard allowed!]
• Destination Port [wilcard allowed!]
• Log Protocol
• Time Criteria:
  - Today
  - Specific Time Range
  - All Dates

Condition:	You want to search all traffic from source 1.1.1.1 from any source port to destination 2.2.2.2 on destination port 80.
Pseudo-Search:	Source_IP=1.1.1.1 Source_Port=<leave_blank> Destination_IP=2.2.2.2 Destination_Port=80
Actual Search:

Condition:	You want to search all traffic from source 1.1.1.x from any source port to destination 2.2.2.2 on port 80.
Pseudo-Search:	Source_IP=1.1.1.% Source_Port=<leave_blank> Destination_IP=2.2.2.2 Destination_Port=80
Actual Search:

Condition:	You want to search all traffic from any source from any source port to destination 2.2.2.2 on port 80.
Pseudo-Search:	Source_IP=<leave_blank> Source_Port=<leave_blank> Destination_IP=2.2.2.2 Destination_Port=80
Actual Search:

• Logging Resource
• Log Signature
• Source IP [wildcard allowed!]
• Destination IP [wildcard allowed!]
• Log Protocol
• Time Criteria:
  - Today
  - Specific Time Range
  - All Dates

• Logging Resource
• Log Message
• Informational Message Relation to a User-defined String [wildcard allowed!]
  - equals
  - does not equal
  - contains
  - does not contain
  - starts with
  - does not start with
  - ends with
  - does not end with
• Time Criteria:
  - Today
  - Specific Time Range
  - All Dates

Sometimes you may have legal requirements from the governing industry bodies to log certain types of traffic, however you may not want them to show up when you're displaying your traffic logs because they're considered overhead traffic. Examples of such traffic may be outbound DNS, SMTP, HTTP requests which may "pollute" your log files since they are usually overall present in high numbers.

The way a traffic filter works is by defining the criteria for traffic which should be filtered and matching it against traffic which would normally be displayed. If there is a match, it means the traffic should be filtered and not shown in the view. For example:

Example 1 - Multiple ANY Wildcards

Condition:	all outbound UDP DNS requests from your DNS server (10.10.10.10) should be filtered from the view.
Pseudo-Filter:	Source_IP: 10.10.10.10 Source_Port:<leave_blank> Destination_IP:<leave_blank> Destination_Port:53 Protocol:UDP

Example 2 - One ANY Wildcard and One SPECIFIC Wildcard

Condition:	all outbound UDP DNS requests from your DNS server (10.10.10.10) to a range of DNS servers (192.168.1.X) should be filtered from the view
Pseudo-Filter:	Source_IP: 10.10.10.10 Source_Port:<leave_blank> Destination_IP:192.168.1.% Destination_Port:53 Protocol:UDP

Of course you don't have to worry about writing these filters in the text based form like I just did here, you'll have the web interface to configure them, but I'm just showing you how the evaluation of the criteria works and how you can use wildcards (either by leaving the fields blank for an "Any" match or by using the "%" wildcard character for partial matches).

There's three ways of creating a traffic display filter:

6.6.1 Creating a Display Filter Manually

Menu Item: (Main Menu) > "Configuration"
Menu Item: (Sub Menu) > "Traffic Logs"
Menu Item: (Sub Menu Choice) > "Configure Display Filters"


6.6.1-1: Main Menu View


The page you get when you click on the "Configure Display Filters" link represents the main menu for the Traffic Display Filter configuration.

6.6.1-2: Main Display Filter Configuration


The page lists all your traffic filters and gives you a little menu on the top when you click on the plus-sign in front of the "Traffic Filter Options" link on the top. Using this menu you can create a new filter, search for certain variables within existing filters and show filters based on certain criteria. These latter two I'll let you find out later since they're quite trivial to use, so I'll focus on the Creation part.

Creating a Traffic Display Filter manually involves several steps:

Step 1 - On the Traffic Display Filter configuration page, expand the "Traffic Filter Options" and click on the "Create" button

6.6.1-3: Expanding and Creating Title Menu


Step 2 - You'll now get a page with all blank form fields, some of which are input boxes, others are drop down menus. The following lists all the required form criteria and whether wildcards can be used:


• Filter Name [Required] (Short description of the filter) (input text box)
• Logging Resource (Allows you to select which firewalls logs the display filter should be active for) (choose one)
  + All Firewalls
  + <name of firewall>
• Logging Action (Allows you to select which traffic action the display filter should be active for) (choose one)
  + Any
  + Accept
  + Drop
• Protocol (Allows you to select which protocol the display filter should be active for) (choose one)
  + TCP
  + UDP
  + ICMP
• Source IP (Source IP for which the display filter should be active) [wildcards allowed!] (input text box)
• Source Port (Source Port for which the display filter should be active) [wildcards allowed!] (input text box)
• Destination IP (Destination IP for which the display filter should be active)[wildcards allowed!] (input text box)
• Destination Port (Destination Port for which the display filter should be active) [wildcards allowed!] (input text box)
• Filter Description (Longer description of the filter) (input text box)

Click on the "Create" button to create the filter or on the "Reset" button to reset the form

The following screenshot shows a Display Filter which filters all TCP traffic from 10.10.10.x to any destination on destination port 445 (basically MS DCE traffic).

6.6.1-4: Creating a Traffic Filter


Step 3 - Once you've created the filter you'll get a page with the summary of the filter you've just created. You've got three options from this page:


• Clone This Filter (I'll come back to this later)
• Edit This Filter (Allows you to modify the filter you just created)
• Go Back to the Display Filter configuration page.

The following screenshot shows a successful Display Filter creation for the above defined criteria:

6.6.1-5: Successful Display Filter Creation


Step 4 - When you click on the "Back to the Display Filter" configuration page, you should see the list of all created traffic filters including the one you just created. When you create a filter it is enabled by default, which means that any traffic which matches the filter will not be displayed in the traffic logs view (and traffic logs searches if selecting "Enable Display Filters"). However, it is possible to disable the filter temporarily by clicking on the "disable" button in the options section of the traffic display filter main page. Other options include "clone" (which will be discussed shortly), edit (which allows you to edit the specific filter) and remove (which will permanently remove the traffic display filter). You can view the filter details by clicking on the filter name column (first column starting from the left).

The following screenshot shows the Main Display Filter Configuration after we've created our display filter:

6.6.1-6: Main Display Filter Configuration after Creation

• General Traffic Display Filter Configuration Page
  -> Under the "Options" column, click on "[ clone ]" for the desired row matching the traffic display filter you want to clone.
• Specific Traffic Display Filter Viewing Page
  -> When you're at to the General Traffic Display Filter Configuration page, you can click on the Filter Name to open the specific details for the traffic display filter. At the Options tab on the bottom of the specific traffic display filter page you can select the "Clone Traffic Filter" option.
• Specific Traffic Display Filter Creation Page
  -> When you've created a display filter you will get a summary with the details of the filter which has just been created. At the Options tab on the bottom of the specific traffic display filter page you can select the "Clone Traffic Filter" option.

Oftentimes you may come across traffic which may at first sight be unknown, especially some of the TCP/UDP high ports which are often used for Trojans as well as several legitimate applications (especially those very useful backup applications and the likes;). However, whilst traffic on port 80 and port 25 are well known services, an incoming scan on UDP/17500 may not be for example. That's why I've added the Traffic Descriptions functionality to PIX Logging Architecture, which is a feature that allows a user to define a description for a certain type of traffic. When the user clicks on the traffic details for this unknown traffic, each time it matches a traffic description, the description will be shown. Traffic Descriptions are accumulative, which means you can define multiple traffic descriptions for the same type of traffic and PIX Logging Architecture will then show you all of them. Traffic Descriptions are configured in a similar manner as Traffic Display Filters.

Note: Wildcards can be used for Traffic Descriptions in exactly the same way as for Display Filters.

There's three ways of creating a traffic description:

6.7.1 Creating a Traffic Description Manually

Menu Item: (Main Menu) > "Configuration"
Menu Item: (Sub Menu) > "Traffic Logs"
Menu Item: (Sub Menu Choice) > "Configure Descriptions"


6.7.1-1: Main Menu View


The page you get when you click on the "Configure Descriptions" link represents the main menu for the Traffic Description configuration.

6.7.1-2: Main Traffic Description Configuration


The page lists all your traffic descriptions and gives you a little menu on the top when you click on the plus-sign in front of the "Description Options" link on the top. Using this menu you can create a new traffic description and search for certain variables within existing descriptions.

Creating a Traffic Description manually involves several steps:

Step 1 - On the Traffic Description configuration page, expand the "Description Options" and click on the "Create" button

6.7.1-3: Expanding and Creating Title Menu


Step 2 - You'll now get a page with all blank form fields, some of which are input boxes, others are drop down menus. The following lists all the required form criteria and whether wildcards can be used:


• Description Name [Required] (Short name of the description) (input text box)
• Logging Resource (Allows you to select which firewalls logs the description should be active for) (choose one)
  + All Firewalls
  + <name of firewall>
• Logging Action (Allows you to select which traffic action the traffic description should be active for) (choose one)
  + Any
  + Accept
  + Drop
• Protocol (Allows you to select which protocol the description should be active for) (choose one)
  + TCP
  + UDP
  + ICMP
• Traffic Type / Priority( Allows you to select what kind of traffic this is - just used for reference) (choose one)
  + Normal / Low
  + Normal / Medium
  + Normal / High
  + Anomalous / Low
  + Anomalous / Medium
  + Anomalous / High
• Source IP (Source IP for which the description should be active) [wildcards allowed!] (input text box)
• Source Port (Source Port for which the description should be active) [wildcards allowed!] (input text box)
• Destination IP (Destination IP for which the description should be active)[wildcards allowed!] (input text box)
• Destination Port (Destination Port for which the description should be active) [wildcards allowed!] (input text box)
• Description Detail (Detailed information of the traffic description) (input text box) (input text box)

Click on the "Create" button to create the description or on the "Reset" button to reset the form.

The following screenshot shows a Description which triggers on all TCP traffic from 10.10.10.x to any destination on destination port 445 (basically MS DCE traffic).

6.7.1-4: Creating a Traffic Description


Step 3 - Once you've created the description you'll get a page with the summary of the Traffic Description you've just created. You've got three options from this page:


• Clone This Description (I'll come back to this later)
• Edit This Description (Allows you to modify the description you just created)
• Go Back to the Traffic Description configuration page.

The following screenshot shows a successful Description creation for the above defined criteria:

6.7.1-5: Successful Traffic Description Creation


Step 4 - When you click on the "Back to the Traffic Description" configuration page, you should see the list of all created traffic description including the one you just created. Options on this page include "clone" (which will be discussed shortly), edit (which allows you to edit the selected description) and remove (which will permanently remove the traffic description). You can view the description details by clicking on the Description Name column (first column starting from the left).

The following screenshot shows the Main Traffic Description Configuration after we've created our Traffic Description:

6.7.1-6: Main Traffic Description Configuration after Creation

• General Traffic Description Configuration Page
  -> Under the "Options" column, click on "[ clone ]" for the desired row matching the traffic description you want to clone.
• Specific Traffic Description Viewing Page
  -> When you're at to the General Traffic Description Configuration page, you can click on the Description Name to open the specific details for the traffic description. At the Options tab on the bottom of the specific traffic description page you can select the "Clone Traffic Description" option.
• Specific Traffic Description Creation Page
  -> When you've created a Traffic Description you will get a summary with the details of the description which has just been created. At the Options tab on the bottom of the specific traffic description page you can select the "Clone Traffic Description" option.

Sometimes there's recurring traffic which you look for on a daily basis and you would like to run recurring searching for this type of traffic. While running a traffic logs search is not a bad idea, it requires you to input the parameters every time. Therefore I've created a Traffic Query, which is basically "Set of Saved Search Parameters" which can then be given a name and ran at a later time. The advantage of using queries is that you do not need to re-type the parameters all ovah again with each recurring seach you do for similar traffic. Traffic Queries are configured in a similar manner as Traffic Display Filters.

Note: Wildcards can be used for Traffic Queries in exactly the same way as for Display Filters.

There's three ways of creating a traffic query:

6.8.1 Creating a Traffic Query Manually

Menu Item: (Main Menu) > "Configuration"
Menu Item: (Sub Menu) > "Traffic Logs"
Menu Item: (Sub Menu Choice) > "Configure Queries"


6.8.1-1: Main Menu View


The page you get when you click on the "Configure Queries" link represents the main menu for the Traffic Description configuration.

6.8.1-2: Main Traffic Queries Configuration


The page lists all your traffic queries and gives you a little menu on the top when you click on the plus-sign in front of the "Query Options" link on the top. Using this menu you can create a new traffic queries and search for certain variables within existing queries.

Creating a Traffic Query manually involves several steps:

Step 1 - On the Traffic Query configuration page, expand the "Query Options" and click on the "Create" button

6.8.1-3: Expanding and Creating Title Menu


Step 2 - You'll now get a page with all blank form fields, some of which are input boxes, others are drop down menus. The following lists all the required form criteria and whether wildcards can be used:


• Query Name [Required] (Short name of the query) (input text box)
• Logging Resource (Allows you to select which firewalls logs the query should be active for) (choose one)
  + All Firewalls
  + <name of firewall>
• Logging Action (Allows you to select which traffic action the query should be active for) (choose one)
  + Any
  + Accept
  + Drop
• Protocol (Allows you to select which protocol the query should be active for) (choose one)
  + TCP
  + UDP
  + ICMP
• Log Message (Allow you to select which log message matches the query) (choose one)
  + Any
  + (i.e. PIX-3-313100,..)
• Source IP (Source IP for which the query should be active) [wildcards allowed!] (input text box)
• Source Port (Source Port for which the query should be active) [wildcards allowed!] (input text box)
• Destination IP (Destination IP for which the query should be active)[wildcards allowed!] (input text box)
• Destination Port (Destination Port for which the query should be active) [wildcards allowed!] (input text box)
• Query Detail (Detailed information of the traffic query) (input text box) (input text box)

Click on the "Create" button to create the Traffic Query or on the "Reset" button to reset the form.

The following screenshot shows a Query which matches all TCP traffic from 10.10.10.x to any destination on destination port 445 (basically MS DCE traffic).

6.8.1-4: Creating a Traffic Query


Step 3 - Once you've created the description you'll get a page with the summary of the Traffic Query you've just created. You've got three options from this page:


• Clone This Query (I'll come back to this later)
• Edit This Query (Allows you to modify the query you just created)
• Go Back to the Traffic Queries configuration page.

The following screenshot shows a successful Traffic Query creation for the above defined criteria:

6.8.1-5: Successful Traffic Query Creation


Step 4 - When you click on the "Back to the Traffic Query" configuration page, you should see the list of all created traffic queries including the one you just created. Options on this page include "clone" (which will be discussed shortly), edit (which allows you to edit the selected query) and remove (which will permanently remove the traffic query). You can view the query details by clicking on the Query Name column (first column starting from the left).

The following screenshot shows the Main Traffic Query Configuration after we've created our Traffic Query:

6.8.1-6: Main Traffic Query Configuration after Creation

• General Traffic Query Configuration Page
  -> Under the "Options" column, click on "[ clone ]" for the desired row matching the traffic query you want to clone.
• Specific Traffic Query Viewing Page
  -> When you're at to the General Traffic Query Configuration page, you can click on the Query Name to open the specific details for the traffic query. At the Options tab on the bottom of the specific traffic query page you can select the "Clone Traffic Query" option.
• Specific Traffic Query Creation Page
  -> When you've created a Traffic Query you will get a summary with the details of the query which has just been created. At the Options tab on the bottom of the specific traffic query page you can select the "Clone Traffic Query" option.

Menu Item: (Main Menu) > "Queries"

6.9-1: Main Menu View


Once the Traffic Queries have been created, they can be executed using at the "Queries" menu from the top menu bar. In order to execute the Traffic Query, you have to select the data for which the traffic query applies, then select the Query Name of the Traffic Query you wish to execute and select whether or not you would like to resolve the hostnames (by default no resolution is done). Click on the "GO" button in order to execute the query.

The following screenshot shows a Query being executed for some Gmail Update Traffic on port (995):

6.9-2: Running Traffic Query


When the Traffic Query has been executed, it will return a list of matching log entries and from this point on you can continue to use this PIX Logging Architecture page in the same way as you do with the Search Results or the Traffic Logs page, including the same paging and sorting functions which exist in the other pages.

In addition to Traffic Display filtering which filters out logged data from being displayed to the user, it is possible to also filter out traffic before it gets logged to the PLA database. There may be certain types of traffic which are overhead and you may not way to see logged, such as Nokia VRRP traffic, Multicast traffic, bulk HTTP, HTTPS, DNS and other type of traffic. Filtering out this traffic at the parsing stage ensures that the PLA database does not get "polluted" with unnecessarily logged traffic and helps maintain the database in keeping its size smaller. I've added Parse Filters exactly for this purpose. The way a parse filter works is by defining the criteria for traffic which should be filtered. For example:

Example 1 - Multiple ANY Wildcards (1)

Condition:	all outbound UDP DNS requests from your DNS server (10.10.10.10) should be filtered from being logged to the database
Pseudo-Filter:	Source_IP: 10.10.10.10 Source_Port:<leave_blank> Destination_IP:<leave_blank> Destination_Port:53 Protocol:UDP

Example 2 - Multiple ANY Wildcards (2)

Condition:	all outbound UDP DNS requests from your DNS server (10.10.10.10) to 192.168.1.1 and 192.168.1.2 and 192.168.1.3 should be filtered from being logged to the database
Pseudo-Filter:	Source_IP: 10.10.10.10 Source_Port:<leave_blank> Destination_IP:192.168.1.1 Destination_Port:53 Protocol:UDP  Source_IP: 10.10.10.10 Source_Port:<leave_blank> Destination_IP:192.168.1.2 Destination_Port:53 Protocol:UDP  Source_IP: 10.10.10.10 Source_Port:<leave_blank> Destination_IP:192.168.1.3 Destination_Port:53 Protocol:UDP

As you can see in the above example, only a <leave_blank> wildcard may be used by leaving the field blank and matching the entire field. Partial matching wildcards using the "%" (percentage) character are NOT ALLOWED in the parse filters.

Notes:

Step 1 - On the Parse Filter configuration page, expand the "Parse Filter Options" and click on the "Create" button

6.10.1-3: Expanding and Creating Title Menu


Step 2 - You'll now get a page with all blank form fields, some of which are input boxes, others are drop down menus. The following lists all the required form criteria and whether wildcards can be used:


• Filter Name [Required] (Short description of the filter) (input text box)
• Logging Resource (Allows you to select which firewalls logs the parse filter should be active for) (choose one)
  + All Firewalls
  + <name of firewall>
• Logging Action (Allows you to select which traffic action the parse filter should be active for) (choose one)
  + Any
  + Accept
  + Drop
• Protocol (Allows you to select which protocol the parse filter should be active for) (choose one)
  + TCP
  + UDP
  + ICMP
• Source IP (Source IP for which the parse filter should be active) [wildcards allowed!] (input text box)
• Source Port (Source Port for which the parse filter should be active) [wildcards allowed!] (input text box)
• Destination IP (Destination IP for which the parse filter should be active)[wildcards allowed!] (input text box)
• Destination Port (Destination Port for which the parse filter should be active) [wildcards allowed!] (input text box)
• Filter Description (Longer description of the filter) (input text box)

Click on the "Create" button to create the filter or on the "Reset" button to reset the form

The following screenshot shows a Display Filter which filters all TCP traffic from 10.10.10.1 to any destination on destination port 445 (basically MS DCE traffic).

6.10.1-4: Creating a Parse Filter


Step 3 - Once you've created the filter you'll get a page with the summary of the filter you've just created. You've got three options from this page:


• Clone This Filter (I'll come back to this later)
• Edit This Filter (Allows you to modify the filter you just created)
• Go Back to the Parse Filter configuration page.

The following screenshot shows a successful Parse Filter creation for the above defined criteria:

6.10.1-5: Successful Parse Filter Creation


Step 4 - When you click on the "Back to the Parse Filter" configuration page, you should see the list of all created parse filters including the one you just created. When you create a filter it is enabled by default, which means that any traffic which matches the filter will not be logged into the database. However, it is possible to disable the filter temporarily by clicking on the "disable" button in the options section of the parse filter main page. Other options include "clone" (which will be discussed shortly), edit (which allows you to edit the specific filter) and remove (which will permanently remove the tparse filter). You can view the filter details by clicking on the filter name column (first column starting from the left).

The following screenshot shows the Main Parse Filter Configuration after we've created our display filter:

6.10.1-6: Main Parse Filter Configuration after Creation

• General Parse Filter Configuration Page
  -> Under the "Options" column, click on "[ clone ]" for the desired row matching the parse filter you want to clone.
• Specific Parse Filter Viewing Page
  -> When you're at to the General Parse Filter Configuration page, you can click on the Filter Name to open the specific details for the parse filter. At the Options tab on the bottom of the specific parse filter page you can select the "Clone Parse Filter" option.
• Specific Parse Filter Creation Page
  -> When you've created a parse filter you will get a summary with the details of the filter which has just been created. At the Options tab on the bottom of the specific parse filter page you can select the "Clone Parse Filter" option.

When running PLA in an environment with a high amount of traffic you can easily start filling up the PLA database. In order to keep tabs on the size of the PLA database, I've added the Log Purging feature, which allows users to delete PLA log entries older than a certain date. While it is not possible to manually specify a log purging policy, several policies have been pre-defined which can be used to purge the PLA database.

Menu Item: (Main Menu) > "Configuration"
Menu Item: (Sub Menu) > "Global Configuration"
Menu Item: (Sub Menu Choice) > "Configure Log Purging"


6.11-1: Main Menu View


The General Log Purging page can be found when clicking on the "Configure Log Purging" link under the "Global Configuration" section of the "Configuration" menu. The "Configure Log Purging" page lists the various log purging policies which can be selected by clicking on them. The following log purging policies exist for Traffic, IDS and Informational logs:

• Older than 7 days
• Older than 14 days
• Older than 21 days
• Older than 1 month
• Older than 2 months
• Older than 3 months
• Older than 6 months
• Older than 1 year
• Older than 2 years
• Older than 3 years

• Purging Policy Name
• Purging Policy Description
• Purging Policy Target (traffic_log, ids_log or info_log)
• Purging All Logs Newer Than: <start_date>
• Purging All Logs Older Than: <end_date>
• Number of Log Records Matching the Purging Criteria: <number_of_records_to_be_purged>

• I wish to purge the PLA Database according to the Purge Policy "<Purging_Policy_Name>".
• I accept the responsibility for the permanent deletion of certain records from within the PLA Database.

• Total Number of Records in Table before Purge
• Total Number of Records being Purged in accordance with the selected policy
• SQL statement used to purge the logs
• Total Number of Records remaining after the Purge has taken place

The PLA Parsing Daemon is responsible for extracting the log entries from the system log messages file and push them to the database. A lot of the work of the PLA Parsing Daemon is performed in memory so you'll have to ensure that the system running the PLA Parsing Daemon has an adequate amount of memory. For medium to large deployments I'd recommend between 256MB and 1024MB of memory. As for the CPU, I've had it running on P3 and P4 machines without much of a problem. Disk space is not necessarily a concern on the PLA Parsing Daemon since you can set up a log rotation policy for syslog which will "remove" the old system log files.

The PLA Database is the most resource intensive and demanding component of the PLA infrastructure, it goes without say that enough disk space needs to be on the PLA Database server in order to house the database. To create an average statistic, each log entry takes up about 0.25Kb. So if you've got a network with 1.000.000 daily log entries into the PLA database then you're looking at a daily growth of the PLA database of +/- 400MB. So if you're willing to retain your logs for 90 days you're looking at 36GB of data. So ensure that whatever the capacity of your disk, it is enough to sustain the growth of the used disk space introduced by the traffic logged into the PLA database. Moreover, the PLA Database server is also in charge of handling the SQL queries, which can oftentimes be quite resource-intensive depending on the granularity of the request. You'll have to forsee a good amount of memory on this server anywhere between 512MB and 1-2GB depending on the types of the queries. As for CPU, I'd recommend a P4 or Dual Core CPU.

The PLA Web-based Front End Server is the least resource intensive component out of all of 3 PLA components and does not have any special requirements.

Whilst it is perfectly possible to install the different components of the PIX Logging Architecture infrastructure and let the logs come in, this may not be the most efficient approach. You may have traffic logged that you don't want to log. You may be logging certain log messages which are not necessarily useful to you, etc.. etc.. I've done several PIX Logging Architecture v2.00 deployments, both on small as well as on large networks and it's sometimes a very painful thing to find out that you're getting 100+ log entries a second into the database and then need to start figuring out what logs you should be filtering. Thus to minimize such "nightmares", out of my experience I'd like to share the following recommended deployment steps with you:

1. Install all 3 PLA components (PLA Parsing Daemon, PLA Database, PLA Web-Based Front End) and their required supporting software (Apache/MySQL/Perl/Perl Modules)

2. Download the latest version of the syslog_message table which you can find on the PLA website at http://www.logging-architecture.net/pla2/release/supportedmessages.html

3. Start running the PLA Database and the PLA web-based front end - DO NOT activate the PLA Parsing Daemon yet!

4. If you already know which specific traffic you do not want to log, start creating Parse Filters for this traffic.

5. If you already know which specific traffic you want to log but not display, start creating Traffic Display Filters for this traffic.

6. If available, a trending of network traffic top services and top connections would be a plus, if not you'll have to handle in a "best effort" methodology, but try and find out what overhead traffic may be transitting your networks, and create very broad (display and/or parse) filters for these types of traffic. Typical "high overhead traffic filters" are:


- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 80
- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 443
- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 8080
- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 25
- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 110
- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 53
- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 139 (that's always an evil one;)
- Source_IP: ANY | Source_Port: ANY | Destination_IP: Any | Destination_Port: 445 (another evil one perhaps?;)


7. Activate Syslogd Remote Log reception on the Logging Host and configure the PIX/FWSM to log to this host - DO NOT activate the PLA Parsing Daemon yet!

8. Let Syslogd run for a predefined time period (1 hour is usually always a good sampling already) and look through the log file, ensure that the log messages which are indicated in the log file match those defined as parsing criteria in the "syslog_messages" table of the PLA database. For a list of all log messages which are logged or specifically excluded, please refer to the PIX Logging Architecture v2.00 web site. Also create traffic display filters and parse filters for any traffic which you may have noticed in the log file and do not want to log or display.

9. Create Traffic Queries for known and unknown traffic so you can easily identify these types of traffic.

10. Activate Syslogd Remote Log reception once more and start running the PLA Parsing Daemon (pla_parsed).

11. Connect to the PLA web-based front end and ensure that messages are entered correctly into the database.

12. Continue configuring Traffic Display Filters and Parse Filters as you see the accumulation of log traffic.

The PIX Logging Architecture Parsing Daemon (pla_parsed) uses a predefined set of criteria to be able to match incoming logs to known parsing formats and thus extrapolate the required information from the log file. The way this is done is using a "syslog_message" table within the PLA database which contains all the known log formats and defines what should be logged and should not be logged. The purpose of this section is to explain how parsing is done so that if you need to change anything to the PLA database parsing you'll know what to look for. No web-based front end is available for editing the syslog_messages table and thus you'll have to get your hands dirty inside the PLA database to be able to create some new log messages. I've provided this chapter for a good understanding how the PIX Logging Architecture's Parsing Daemon (pla_parsed) evaluates the log messages and to understand the construction of the "syslog_message" table so you can start added your own log messages which may not yet included in the default set of PLA supported log messages.

The "syslog_message" table consists of the following fields, as shown in the following "describe syslog_message" output:

		+--------------------+-----------------+------+-----+---------+----------------+
		| Field              | Type            | Null | Key | Default | Extra          |
		+--------------------+-----------------+------+-----+---------+----------------+
		| field_id           | int(8) unsigned |      | PRI | NULL    | auto_increment |		
		| message_id         | varchar(20)     | YES  |     | NULL    |                |
		| message_type       | int(8)          | YES  |     | NULL    |                |
		| message_regex      | varchar(255)    | YES  |     | NULL    |                |
		| message_time       | varchar(32)     | YES  |     | NULL    |                |
		| message_action     | varchar(32)     | YES  |     | NULL    |                |
		| regex_src_ip       | int(8) unsigned | YES  |     | NULL    |                |
		| regex_dst_ip       | int(8) unsigned | YES  |     | NULL    |                |
		| regex_src_pt       | int(8) unsigned | YES  |     | NULL    |                |
		| regex_dst_pt       | int(8) unsigned | YES  |     | NULL    |                |	
		| regex_xlate_src_ip | int(8) unsigned | YES  |     | NULL    |                |
		| regex_xlate_dst_ip | int(8) unsigned | YES  |     | NULL    |                |
		| regex_xlate_src_pt | int(8) unsigned | YES  |     | NULL    |                |
		| regex_xlate_dst_pt | int(8) unsigned | YES  |     | NULL    |                |
		| regex_idsmsg       | int(8) unsigned | YES  |     | NULL    |                |
		| regex_proto        | int(8) unsigned | YES  |     | NULL    |                |
		| regex_flags        | int(8) unsigned | YES  |     | NULL    |                |
		| regex_time         | int(8) unsigned | YES  |     | NULL    |                |
		| regex_sig          | int(8) unsigned | YES  |     | NULL    |                |
		| regex_msg          | int(8) unsigned | YES  |     | NULL    |                |
		| regex_iface        | int(8) unsigned | YES  |     | NULL    |                |
		+--------------------+-----------------+------+-----+---------+----------------+
		21 rows in set (0.00 sec)
	   

• Traffic Logs (Message Type: 1)
• IDS Logs (Message Type: 2)
• Informational Logs (Message Type: 0)

• The PLA Parsing Daemon connects to the PLA database upon startup and downloads the entire syslog_message table into memory.
• For each new incoming message, the PLA parsing daemon will match the message_id (i.e. PIX-6-302015) of the incoming log entry with the ones it has extracted from the database.
• If it matches the database it's going to check the value for message_type, if it's 1 (Traffic Logs) or 2 (IDS Logs), the PLA parsing daemon will continue to parse all the information in accordance with the regular expressions (RegEx) condition specified in the "message_regex" field of the syslog_message table.

		+--------------------+------------------------------------------------------------------------------------------------+
		| Field              | Value                                                                                          |
		+--------------------+------------------------------------------------------------------------------------------------+
		| field_id           | 4                                                                                              |	
		| message_id         | PIX-6-302015                                                                                   |
		| message_type       | 1                                                                                              | 
		| message_regex      | Built outbound (.*) connection .* for .*:(.*)/(.*) .(.*)/(.*). to .*:(.*)/(.*) .(.*)/(.*)..    | 
		| message_time       | %b %d %Y %H:%M:%S                                                                              |
		| message_action     | ACCEPT                                                                                         |
		| regex_src_ip       | 6                                                                                              |   
		| regex_dst_ip       | 2                                                                                              |  
		| regex_src_pt       | 7                                                                                              |
		| regex_dst_pt       | 3                                                                                              |  
		| regex_xlate_src_ip | 8                                                                                              |  
		| regex_xlate_dst_ip | 4                                                                                              |  
		| regex_xlate_src_pt | 9                                                                                              | 
		| regex_xlate_dst_pt | 3                                                                                              |   
		| regex_idsmsg       | 0                                                                                              |    
		| regex_proto        | 1                                                                                              |  
		| regex_flags        | 0                                                                                              | 
		| regex_time         | 0                                                                                              |  
		| regex_sig          | 0                                                                                              | 
		| regex_msg          | 0                                                                                              | 
		| regex_iface        | 0                                                                                              |   
		+--------------------+------------------------------------------------------------------------------------------------+
	   

• Define what should be logged into the Informational Logs table.
• Define what should not be logged at all.

For example: PIX log message PIX-6-603109 (which informs about PPPoE status) - adheres to this condition (message_type=0 / message_action=1)

Thus the following message:



Oct 29 06:55:15 fwext-dmz-01.dmz.counterstrike.mil Oct 29 2006 06:54:07: %PIX-6-603109: Teardown PPPOE Tunnel, tunnel_id = 0, remote_peer_ip = 80.200.224.1


Will be logged as an informational log message with the following information field:

"Teardown PPPOE Tunnel, tunnel_id = 0, remote_peer_ip = 80.200.224.1"

This condition is valid for ALL message types (Traffic Logs, IDS Logs, Informational Logs) regardless of their nature. This has been added to provide the ability to users to exclude certain log messages from being logged based on the message id (i.e. PIX-6-305011). Excluding specific log entries can be a critical part of keeping the PLA database down to a reasonable size.

For example, PIX Log Message PIX-6-305011 (which describes Port Address Translation) for dynamic port openings is not logged to the PLA database because it creates a lot of overhead information and thus has been excluded with the excluded log message (message_type = 0 and message_action = 0) setting.

Thus the following message:



Mar 11 13:19:15 fwext-dmz-01.dmz.counterstrike.mil Mar 11 2007 13:14:22: %PIX-6-305011: Built dynamic TCP translation from inside:10.10.10.8/4292 to outside:147.64.50.89/1243


Will be discarded by the PLA Parsing Daemon because it matches an excluded log message id (PIX-6-305011) with the (message_type = 0 and message_action = 0) setting.

I'd like to take this opportunity to introduce the people who have worked on making PIX Logging Architecture a reality and are continuing efforts on making this a great and useful piece of software!

Just a quick intro.. I'm Kris Philipsen, Senior Security Consultant at Cybertrust, Inc. [http://www.cybertrust.com] and based in their Luxembourg, Europe office but I basically travel all over the world for my job. My interest in Cisco PIX, FWSM and everything that has to do with Cisco has started a long time ago now which is the reason why I'm running a PIX firewall here at my house and was having, like many other people, tremendous problems with Cisco's log strategy so I decided to change some things and make my (and hopefully everybody elses) life a little easier by bringing the PIX Logging Architecture project to life. As far as Cisco goes, I'm currently CCNP, CCSP and am working towards my CCIE Security for which I've passed the written exam so far.

I'm gonna take this opportunity to introduce Peter. A great friend and colleague for many years already! Peter Boutzev is Senior Security Consultant at Cybertrust, Inc. [http://www.cybertrust.com] and based in their Luxembourg, Europe office. Peter, just like Kris, is also very interested in everything that has to do with Cisco stuff as well as open source software. I definitely want to thank Peter for all of the great efforts and time he's put into helping me co-develop PLA and coming up with new and exciting features! It's an honor to work with you Peter. I'd also like to give mad kudos to Peter for passing the CCIE Security lab exam in mid-2006.. so Peter's now officially part of the CCIE Security club.. congrats dude and hope to follow you there soon!

Thanks to all people who have been wonderful in helping improve PIX Logging Architecture and making it into what it is today.

I'd like to especially thank my friend Christophe who's extensively tested PIX Logging Architecture v2.00 in the corporate infrastructure of the company he works for and has been great in giving me feedback on the FWSM testing and has come up with some ideas for new features which have currently been integrated into PLA v2.00.

I'd also like to thank and give special attention to Viviane, the woman of my life who has put up with me while I've been working on designing, coding and improving PIX Logging Architecture (and of course writing this insanely long document). I love you!

If you like the PIX Logging Architecture project and would like to support us there's several ways of doing this:

Help us improve PIX Logging Architecture by giving us your feedback, comments and bug reports so we can get on making PLA a better piece of software.

We've got a small logo which you can use to link to us using the following HTML code:

<a href="http://www.logging-architecture.net"><img src="http://www.logging-architecture.net/pla_banner_small.jpg" alt="PIX Logging Architecture" border="0"></a>

PIX Logging Architecture is a software which is being provided for free and can be used without any obligations or monetary compensation. Nevertheless, costs (such as hosting as well as hardware investments) are involved in running the PIX Logging Architecture project and keeping it as up to date as possible and support the latest software and hardware technologies which we try to maintain through the means of donations and sponsored ads clicks. Your click to our sponsors as well as your donations to this project can make the difference in keeping the site and it's project up and running!

Please refer to the http://www.logging-architecture.net/pla2/ website for more information on this.

8.4 PIX Logging Architecture Resources

Besides this Installation, Configuration and Usage guide for PIX Logging Architecture, I've also put 5 mailing lists up regarding various topics relating to PIX Logging Architecture:

• pixla-announce
• pixla-bugs
• pixla-comments
• pixla-logs
• pixla-support

Please refer to the following page if you're interested in subscribing to these mailing lists: http://www.logging-architecture.net/pla2/.

PIX Logging Architecture Banner:    Last Update: 25-Mar-2007   

Thanks to Viviane and Carlos Eduardo for helping me out with the design of this site!