FireGen for PIX Log Analyzer currently supports several syslog server formats. For all the Pix message may have a timestamp configured. While we recommend either the free Kiwi syslog or WinSyslog we support the following formats:

1. WinSyslog
Specifics: Comma delimited
Format:
yyyy-mm-dd,hh:mm:ss,firewall_ip,winsyslog_field,severity,PIX_message
Example:
2002-04-07,20:15:24,172.18.10.1,20,3,%PIX-3-106011: Deny inbound (No xlate) tcp src outside:80.13.92.83/2052 dst outside:216.13.68.99/21

2. Kiwi syslog - format ISO - (Tab delimited)
Specifics: Tab delimited
Format:
yyyy-mm-dd hh:mm:ss facility.severity firewall_ip PIX_message
Example:
2003-01-12 13:54:24 Local4.Info 192.168.0.10 Jan 12 2003 13:50:50: %PIX-6-110001: No route to 10.10.100.3 from 192.168.0.10

3. Kiwi syslog - Comma delimited
Specifics: Comma delimited
Format:
yyyy-mm-dd,hh:mm:ss,facility.severity,firewall_ip,PIX_message
Example:
2003-01-12,13:54:24,Local4.Info,192.168.0.10,Jan 12 2003 13:50:50: %PIX-6-110001: No route to 10.10.100.3 from 192.168.0.10

3. Kiwi syslog - UTC time - (Tab delimited)
Specifics: Tab delimited
Format:
# yyyy-mm-dd hh:mm:ss facility.severity firewall_ip :mmm dd hh:mm:ss UTC: PIX_message
Example:
# 2003-12-05 16:07:17 Local4.Notice 192.168.1.1 :Dec 05 16:01:30 UTC: %PIX-5-111007: Begin configuration: 192.168.1.10 reading from http

4. 3COM Syslog or Unix System V
Specifics: Space delimited
Format:
mmm dd hh:mm:ss firewall_ip facility.severity PIX_message
Example:
Mar 17 15:52:38 192.168.1.30 local4.notice Mar 17 2004 16:26:40: %PIX-5-111007: Begin configuration: 192.168.1.10 reading from http

5. BSD Unix syslog, syslog-ng or Linux syslog format
Specifics: Space delimited
Format:
mmm dd hh:mm:ss firewall_ip PIX_message
Example:
Jan 12 14:06:59 192.168.0.10 Jan 12 2003 14:03:25: %PIX-6-110001: No route to 10.10.100.3 from 192.168.0.10

6. Cisco Pix PFSS (Pix Firewall Syslog Server)
Specifics: Starts with <number>
Format:
<166>mmm dd yyyy hh:mm:ss: PIX_message
Example:
<166>Jan 10 2003 20:38:42: %PIX-6-110001: No route to 10.10.100.3 from 192.168.0.10

7. Cisco Pix PFSS (Pix Firewall Syslog Server) - with host name
Format:
<166>mmm dd yyyy hh:mm:ss host_name : PIX_message
Example:
<166>May 29 2004 00:00:08 GBPIX : %PIX-6-305011: Built dynamic UDP translation from inside:192.168.8.3/123 to outside:216.81.143.98/464

8. SL4NT
Specifics: Comma delimited
Format:
mm/dd/yyyy,hh:mm:ss AM/PM,firewall_ip,???,facility,severity,PIX_message
Example:
3/24/2003,4:55:58 PM,10.1.1.254,???,LOCAL4,INFO,Feb 19 2082 21:58:00: %PIX-6-302005: Built UDP connection for faddr 207.155.184.72/28745 gaddr 206.155.114.33/53 laddr 192.168.50.24/53

9. Unix System V
Specifics: Tab delimited
Format:
mmm dd hh:mm:ss firewall_ip facility.severity PIX_message
Example:
Mar 17 15:52:38 192.168.1.30 local4.notice Mar 17 2004 16:26:40: %PIX-5-111007: Begin configuration: 192.168.1.10 reading from http

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter