EventId.Net - Firewalls
EventID.Net

Home Search Events Books Documents TCP/IP Ports Contributors About Us
Log in Q Finder Links Firewalls IT Admin Tasks Log Management Legal
 

ANALYZING CISCO ROUTER LOGS WITH FIREGEN
     
 
 
 

This page provides instructions on how to setup FireGen for Pix in order to analyze Cisco router logs (requires FireGen analysis engine 2.811 or higher - use the Help/About... menu option to determine the version):

Starting with version 2.811 you can define a log host profile "Firewall type" setting as "Router".

When this is set, FireGen will read the router logs and convert them to Pix format before parsing them through the Pix analysis engine. The router logs do not provide information about the location of various IP addresses so in order to determine the internal vs. the external IP addresses one has to update a file called fgpixRouterInternalIPs.txt (located in the directory where FireGen is installed).

The file should contain the internal IP addresses in this format:

192.168.
10.
172.16.
....

If the file does not exist FireGen will consider all the RFC 1918 IP addresses (private IP addresses such as 192.168.0.0, 10.0.0.0 or 172.16.0.0 - 172.32.0.0) as internal.
 

As of August 1st, 2007, the analysis module has processing rules for the following router messages:

3-770001 => LINK-3-UPDOWN
6-770002 => DIALER-6-BIND
6-770003 => DIALER-6-UNBIND
6-770004 => ISDN-6-CONNECT
6-770005 => ISDN-6-DISCONNECT
6-770006 => SEC-6-IPACCESSLOGP
5-770007 => LINEPROTO-5-UPDOW
6-770008 => SEC-6-IPACCESSLOGDP
6-770009 => SEC-6-IPACCESSLOGRL
3-770010 => FW-3-RESPONDER_WND_SCALE_INI_NO_SCALE
3-770011 => FW-3-SMTP_INVALID_COMMAND
6-770012 => FW-6-SESS_AUDIT_TRAIL
5-770013 => SYS-5-CONFIG_I
5-770014 => LINK-5-CHANGED
5-770015 => SYS-5-PRIV_AUTH_PASS
6-770016 => FW-6-SESS_AUDIT_TRAIL_START
6-770017 => FW-6-DROP_PKT
5-770018 => SYS-5-RESTART
5-770019 => SNMP-5-COLDSTART
6-770020 => FW-6-INIT
6-770021 => CRYPTO-6-ISAKMP_ON_OFF
6-770022 => SEC-6-IPACCESSLOGNP
4-770023 => CRYPTO-4-RECVD_PKT_NOT_IPSEC
6-770024 => SYS-6-LOGGINGHOST_STARTSTOP
3-770025 => CRYPTO-3-QUERY_KEY
4-770026 => CRYPTO-4-IKMP_BAD_MESSAGE
4-770027 => VPN_HW-4-PACKET_ERROR
3-770028 => FW-3-HTTP_JAVA_BLOCK

 
 

  Featured Links
GFI EventsManager - Network-wide event log management - Download free 30-day trial!

Free Online Event Scanner - Scan your pc for high security events with GFI's free online service.
EventID.Net Subscription - So much information for so little!

 

 

 

 

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter