FireGen for PIX Log Analyzer FAQ

EventId.Net - Firewalls


Home	Search Events	Books	Documents	TCP/IP Ports	Contributors	About Us

Log in	Q Finder	Links	Firewalls	IT Admin Tasks	Log Management	Legal

FIREGEN FOR PIX FREQUENTLY ASKED QUESTIONS

Q:	I receive an error message when I try to start the Firegen for Pix service. How can I fix it?
A:	It is possible that the service did not install properly. From a command prompt, change the directory to the location of the Firegen for Pix (typically, C:\Program Files\FireGenPix and type the following command: fgpixservice - install This will install the service (to remove the service type "fgpixservice -remove"). When installed this way, the service will have the Startup type set to "Manual" and the status will be "Stopped". You can start it from the Services applet or from the FireGen for Pix configuration interface.

Q	How can I change the number of displayed messages for various sections of the report?
A	In order to see more than 50 entries, please use the "Max. messages" option on the "General" tab. If you need to have different number of entries for the various sections of the report use the following registry entries: MaxProtocols MaxDestinations MaxDestinationSourcePort MaxSources MaxProtocolInTraffic MaxProtocolOutTraffic MaxDenials MaxDenyInbound MaxDenialSources MaxDenialDestinations Create a "string" value with these names under the HKEY_LOCAL_MACHINE\SOFTWARE\AltairTech\FireGenPix registry key and assign them the value of your choice (i.e 100). You only need to create the values that you want different from the default value set with "Max. messages". For example, to display the top 100 protocols and leave everything else default, create only the MaxProtocols registry value and set it to 100.

Q:	When I run a report on demand, everything works fine but when I schedule a report with the same settings, the reports arrive blank.
A:	When running reports on demand, the file permissions used by FireGen are the ones that the current user has. For the scheduled reports, the permissions of the account set for the FireGen service are used. If for example, the FireGen service is configured to use the "system" account (the default setting), this account will not be able to access reports on remote computers as the "system" account only has local rights. Verify that the account used by the service has at least read rights to the location of the logs and read/right rights to the location configured for reports and for working directory.

Q:	All the reports I generate are blank while the logs seem to contain relevant information for the selected period of time. I also get an error saying: "Analyze has returned code: 1 (invalid). Error: ".
A:	If all the settings appear ok (logs location, selected data range) please verify that the account used to generate the reports has rights to the location configured as "Working directory" (via the "General" tab). By default this location is set to "C:\temp" and we found that on some computers the C:\temp directory does not exist.

Q:	My log files are very large. What is the limit for FireGen?
A:	We had reports of successful analysis of logs as large as 500 MB. FireGen should not crash, regardless of the size of the logs but the larger the log is, the longer will take to analyze them. The performance of the computer doing the analysis is important as well (CPU and I/O system). We designed FireGen to have minimal impact on the amount of memory used. The analysis is done at "idle priority" so FireGen will not take CPU cycles from other programs. One way to improve the analysis performance would be to select only a certain severity levels (i.e. only messages with severity level higher than "Warning").

Q:	Can I schedule FireGen to run more than once per day?
A:	Using the configuration interface it is not currently possible to run such a schedule. However, the analysis engine is fully scriptable and it can be used to script the log analysis with custom schedules. Please email us for more details.

Q:	I attempted to analyze a log but while the report was generated properly, the log file was deleted.
A:	A bug, fixed in version 1.38 caused this problem if the logs were located in a folder with spaces in its name. For example: C:\Program Files\SyslogD\Log Files would've triggered this problem.

Q:	How does FireGen work with zipped log files?
A:	The log files structure required for the analysis of zipped logs files: - all the log files have to be in the same directory - the logs sample specified for the log profile cannot be a zipped log (it only needs to contain one line in order for FireGen to be able to detect the format of the log) - the only log file detection method supported is "Based on file naming convention" Example: 1. All log file saved under c:\Logs 2. Log file naming convention: syslog-yyyy-mm-dd.log 3. On a certain date, let's say August 5, 2004, the c:\Logs directory would contain: - syslog-2004-08-05.log (the current log) - syslog-2004-08-04.zip - syslog-2004-08-03.zip - syslog-2004-08-02.zip - …. - syslog-2004-05-05.log - the log specified as sample in the "Log profiles" tab 4. Firegen will be able to analyze the firewall activity for August 3, by temporarily unzipping syslog-2004-08-03.zip to syslog-2004-08-03.log and removing syslog-2004-08-03.log once the analysis is done.

Featured Links

GFI EventsManager - Network-wide event log management - Download free 30-day trial!

Free Online Event Scanner - Scan your pc for high security events with GFI's free online service.
EventID.Net Subscription - So much information for so little!