FireGen for PIX Log Analyzer FAQ

Q1	How do I configure FireGen to analyze my logs?
A	1. Open the configuration interface 2. Switch to the "Log Profiles" tab 3. In the "Create Log Host Profile" section create a new profile: - Enter a name for the profile (i.e. Pix151) - Select a sample log by browsing to one of the existing firewall logs. FireGen will use this sample log to identify the format of the log, the logs location and their naming convention. If the logs are not on the same computer as FireGen, create a share on the log server so the FireGen computer can access it. If the logs are on a Linux server, you can use Samba to share the location of the logs - Select the "Date format used by the log name" - FireGen cannot determine if in a log name like log-2004-03-04.log "03" is the month or the day. - Select the "Date format used for the log entries" - as above, FireGen cannot determine in an entry like "2004-03-04,192.168.7.3,1,3,%PIX-6-342343,Firewall message" if the "03" refers to the month or to the day. 4. Click "Create" - A new profile will be created that can be modified any time by using the "Modify Log Host profile" section Now you can switch back to the "On Demand" tab, select the new profile from the "Log host" drop down list, the time interval you want to analyze and then click on "Analyze" to run the analysis. By default, when they are created, the log host profiles are also configured to be included in the "scheduled analysis". To disable the analysis of this profile during the scheduled reports, in the "Modify Log Host" section, uncheck the "Schedule" checkbox and save the changes. Please note also that during the scheduled analysis, the account configured for the FireGen service needs to have the right to access the logs' location. If the logs are on a remote server, the default "system account" does not have the right to access them. See also the supported log formats. If you still have problems, please do not hesitate to contact one of our engineers by email (support@firegen.com) or by phone (+1 905 854-5367).

Q2:	I have purchased FireGen 1.x two months ago but I did not purchase Software Maintenance. How can I upgrade to 2.x?
A:	You are eligible for free upgrade for 3 months after you have purchased FireGen for Pix 1.x so you can get a free upgrade.

Q3:	When I run a report on demand, everything works fine but when I schedule a report with the same settings, the reports arrive blank.
A:	When running reports on demand, the file permissions used by FireGen are the ones that the current user has. For the scheduled reports, the permissions of the account set for the FireGen service are used. If for example, the FireGen service is configured to use the "system" account (the default setting), this account will not be able to access reports on remote computers as the "system" account only has local rights. Verify that the account used by the service has at least read rights to the location of the logs and read/right rights to the location configured for reports and for working directory.

Q4:	All the reports I generate are blank while the logs seem to contain relevant information for the selected period of time. I also get an error saying: "Analyze has returned code: 1 (invalid). Error: ".
A:	If all the settings appear ok (logs location, selected data range) please verify that the account used to generate the reports has rights to the location configured as "Working directory" (via the "General" tab). By default this location is set to "C:\temp" and we found that on some computers the C:\temp directory does not exist. To get a more verbose cause of the failure, please run the FireGenPix2CLI in a command line prompt. If the cause is still unclear, please email us the output of the FireGenPix2CLI command.

Q5:	My log files are very large. What is the limit for FireGen?
A:	The largest log set that we have analyzed was 1.5 GB. The analysis took 11 hours on a Windows 2000 Server with a single Intel P4 2.5 GHz CPU, 512 MB RAM. Officially we do not support logs larger than 100 MB. FireGen should not crash, regardless of the size of the logs but the larger the log is, the longer will take to analyze them. One 100 MB log when logging level configured for the Pix firewall is 6 or 7 should contain around 700,000 lines and take between 20 and 30 minutes for a computer with the specs as indicated at Q20. There are many factors that affect the performance: - the computer performance (the powerful the CPU, the better as many FireGen processes are CPU intensive) - the nature of the data in the logs (the type of Pix messages that are prevalent for your environment and the version of Pix firmware running on your firewall - the location of the logs (local or on a remote server) - the type of syslog server (some syslog formats require more processing) - the filtering criteria that you specify and the number of protocols you want to monitor in detail - the impact of other applications running on that computer (FireGen runs at "idle" priority so the other application will have precedence) - the DNS resolution duration for IP addresses that appear in the report For example, on our test computer an Intel P4 2.4 GHz, 1 GB RAM, WD WD800JB-00CRA1 Hard Disk (80GB ATA100 7200RPM 8MB cache) running Windows 2000 Advanced Server SP 4 - we analyzed a 100 MB log in 19 minutes (from which 4 minutes were spent for DNS resolution). The format of the test log was PFSS: <166>Jul 07 2005 00:00:00 : %PIX-6-302014: Teardown TCP connection 7980206 for dmz:10.2.174.201/3573 to inside:10.1.174.173/3828 duration 0:00:01 bytes 224 TCP FINs The log contained approx 700,000 log entries and the logging level on the Pix firewall was set to 6. One way to improve the analysis performance would be to select only a certain severity levels (i.e. only messages with severity level higher than "Warning"). One can also exclude certain PIX codes by adding the message code to the "Exclude" field on the "On Demand" or "Schedule" tabs. Having reverse name resolution enabled can also affect significantly the analysis duration. * * * For existing users we can provide a FireGen prototype designed to work with large log files. Please contact us for details.

Q6:	Can I schedule FireGen to run more than once per day?
A:	Using the configuration interface it is not currently possible to run such a schedule. However, the analysis engine is fully scriptable and it can be used to script the log analysis with custom schedules. See this link for more details. You can also download the FireGenPix2CLI.exe (the command line version of the analyzer) and script it to run at the desired intervals using the MS Task Scheduler. Use the following syntax: 1. To run the analysis with the settings from the On Demand tab: FireGenPix2CLI 2. To run the analysis with the settings from the Schedule tab: FireGenPix2CLI sc 3. To run the analysis with the settings from the IP Forensics tab: FireGenPix2CLI ip Please note that when used with MS Task Scheduler, you need to specify the full path to the FireGenPix2CLI.exe file. If the path contains spaces, you need to enclose the full file name in double quotes. For example, if Firegen is installed on C:\Program Files\FireGenPix2, you need to specify the command as follows: "C:\Program Files\FireGenPix2\FireGenPix2CLI.exe" sc and the "Start in" folder as "C:\Program Files\FireGenPix2"

Q7:	When I run a report, all the previous reports get deleted. How can I configure Firegen not to delete the old reports?
A:	On the "General" of the configuration interface there is a checkbox "Delete previous reports" (checked by default). If you uncheck it, the old reports will not be deleted.

Q8:	How does FireGen work with zipped log files?
A:	The log files structure required for the analysis of zipped logs files: - all the log files have to be in the same directory - the logs sample specified for the log profile cannot be a zipped log (it only needs to contain one line in order for FireGen to be able to detect the format of the log) - the only log file detection method supported is "Based on file naming convention" Example: 1. All log file saved under c:\Logs 2. Log file naming convention: syslog-yyyy-mm-dd.log 3. On a certain date, let's say August 5, 2004, the c:\Logs directory would contain: - syslog-2004-08-05.log (the current log) - syslog-2004-08-04.zip - syslog-2004-08-03.zip - syslog-2004-08-02.zip - …. - syslog-2004-05-05.log - the log specified as sample in the "Log profiles" tab 4. Firegen will be able to analyze the firewall activity for August 3, by temporarily unzipping syslog-2004-08-03.zip to syslog-2004-08-03.log and removing syslog-2004-08-03.log once the analysis is done. Currently, only the .zip files are supported.

Q9:	How can I migrate the FireGen settings from one computer to another?
A:	Here are the steps that have to be performed in order to migrate the FireGen settings: 1. Install FireGen on the new computer 2. Export the HKEY_LOCAL_MACHINE\SOFTWARE\AltairTech\FireGenPix2 registry key from the old computer to a .reg file (i.e. firegen.reg) 3. Copy and import the firegen.reg registry file into the new computer 4. If on the old computer the FireGen for Pix service was configured to use a certain user account, replicate the settings for the FireGen service on the new computer 5. From the old computer copy the following files into the new location of FireGen (usually C:\Program Files\FireGenPix2) overwriting the existing files: - dnsfgpix.cache - fgpixMonitoredIPs.txt - fgpixPatterns.txt - fgpixProtocols.txt

Q10:	What are the limitations of the evaluation version?
A:	During the first 30 days, there are no limitations. After 30 days, part of the reports will be discarded.

Q11:	Do I need a syslog server in order to use FireGen?
A:	Yes, a syslog server is required. We recommend Kiwi Syslog. If you have problems configuring it, please contact us for help or see the setup procedure that we compiled.

Q12:	How should I configure the Pix firewall in order to generate the logs supported by FireGen?
A:	1. Configure a syslog server. You can download the free Kiwi Syslog server and install it on any Windows NT/2000/XP/2003 machine (see the setup procedure we compiled). Let's say the IP address of the syslog server is 192.168.1.5 2. Configure Pix to send its logs to the 192.168.1.5 syslog server using these commands: logging on logging timestamp logging console debugging logging trap debugging logging history debugging logging host inside 192.168.1.5 "logging timestamp" is optional as Kiwi can add its own timestamp

Q13:	How can I change the 50 messages limit that is used in the reports?
A:	On the FireGen configuration interface, General tab, use the "messages per section" button

Q14:	How to upgrade to FireGen 2.60 (or higher) from an older version?
A:	Here are the steps that have to be performed in order to migrate the FireGen settings: 1. Make a backup of the following files from the location of FireGen (usually C:\Program Files\FireGenPix2): - dnsfgpix.cache - fgpixMonitoredIPs.txt - fgpixPatterns.txt - fgpixProtocols.txt 2. Uninstall FireGen using Add/Remove Programs 3. Install the latest version of FireGen for Pix 4. Restore the files specified at 1. overwriting the existing ones

Q15:	What is the role of the "Sample log" setting on the "Log profiles" tab?
A:	The log configured as "sample log" in the profiles tab is used by FireGen to determine the location of the logs and the name convention used. If the "Log file detection method" is set as "Based on file naming convention" the FireGen will attempt to extrapolate the log name for the analysis interval. For example if the sample log is named syslog-2005-07-01.log and the analysis interval is August 2, 2005 then FireGen should be able to determine that the log naming convention is syslog-yyyy-mm-dd.log and that the log that it has to analyze is syslog-2005-08-02.log. If FireGen is not able to determine a pattern in the log file name then it will analyze the log set as "sample log" for that profile. If the "Log file detection method" is set as "Based on log entry timestamp", FireGen will open all the files in the location of the sample log (and all subdirectories) and test them if: 1) they are the same type of log as the sample log and 2) the first or the last log entry is within the selected analysis interval. This method is useful if the log files do not have a certain naming convention.

Q16:	How can I configure FireGen so certain sections are not created?
A:	Use the "Tools/Advanced settings/Hide sections" menu.

Q17:	I scheduled a report on Windows 2003 but no reports are generated. What is the problem?
A:	We found that on certain environments, the permissions inherited by the local system account do not allow the creation of COM objects. Typically, there is an entry in the Application event log (event id 0) saying that FireGen was not able to create the analysis COM object. To workaround this problem, run the FireGen for Pix service with an account member of the Domain Admins group. If this is not allowed due to internal security policies, try to use the FireGenPix2CLI.exe with the MS Task Scheduler (see FAQ no. 6 above)

Q18:	Is FireGen available for a Linux platform?
A:	Currently, we do not have a Linux version of FireGen. We may develop one in the future but no work has been done yet towards it.

Q20:	What is the recommended hardware for the computer running FireGen?
A:	For the hardware we recommend is a Pentium 4 2.8 GHz (or AMD equivalent) PC with at least 512 MB of RAM.

Q21:	Can I specify different settings for each log profile?
A:	Starting with version 2.831 it is possible to overwrite almost any setting configurable via the GUI interface. See the Using a configuration file.

Q22:	I am trying to install FireGen but I get the "The system cannot open the device or file specified." followed by "Internal Error 2755" error messages.
A:	This is a Microsoft Windows Installer error. It may occur when the .msi file is located on an encrypted folder. Please verify the location of the FireGenPix2nnnn.msi file and move to a different location if necessary.

Q23:	How can I analyze Cisco router logs with FireGen for Pix Log Analyzer?
A:	See this page that describes the setup process.