From Splunk Wiki
The information on this page is specific to CISCO PIX. If you are interested in Cisco ASA or Cisco Firewall Service Manager check the specific pages. Although, most of the information on this pages is still valid.
Configure your PIX to send UDP syslog to a Splunk instance listening for syslog on port 514.
Command to configure this:
logging host #.#.#.# logging timestamp
In addition, you can set the facility that is used for the syslog message:
logging facility X
To exclude specific messages, you can use the following command on your PIX:
no logging message 111005
There are some limitations with syslog.
Depending on your use-case you need to adopt your configuration of what exact messages to log. Refer to the firewall logging recommendations for generic information about firewall logging.
|Alert||These messages indicate that action has been taken by the security appliance to resolve a problem or that action needs to be taken by the administrator because of an interface failure, unit standby failure, or bad cables. An administrator should always follow up on an alert message.||logging trap alert|
|Critical||These messages indicate that traffic has been blocked or dropped, that spoofed traffic has been detected, or that flags are invalid in traffic. An administrator should usually follow up on critical messages.||logging trap critical|
|Error||These error messages are specific to security appliance resources such as xlate failures and translation slot failures. An administrator should always follow up on error messages.||logging trap error|
|Warning||These messages are generally warnings about connection problems. Many of these problems might be cleared up by the protocols on either end, but an administrator might have to follow up on these warning messages.||logging trap warning|
|Notification||These messages are a mix of notifications of what a security appliance logged-in user is doing on the machine and some messages about Java and ActiveX blocking. An administrator should look at these messages to ensure that unauthorized changes are not being made to the security appliance.||logging trap notification|
|Informational||These messages describe connections being built and torn down through the security appliance. In most cases, these messages don't need to be audited by an administrator unless users report that they are having problems with specific connections or services.||logging trap informational|
|Debugging||These messages are mostly related to IPSec. An administrator uses these messages when bringing up an IPSec tunnel for the first time. For the other debug messages, refer to the Security Appliance technical documentation on the Cisco website.||logging trap debugging|
The following is a list of recommended messages to log (use the command from above to enable each of them):
* PIX-1-106100 Generated for every permit or deny flow passing through the PIX firewall v7.x and later * PIX-2-106100 * PIX-3-313001 * PIX-3-710003 * PIX-4-106023 * PIX-6-106015 * PIX-6-302013 * PIX-6-302015 * PIX-7-710002 * PIX-7-710005
If you have the PIX IDS module installed in your PIX, the following are the messages you are interested in:
* PIX-4-400008 * PIX-4-400010 * PIX-4-400011 * PIX-4-400014 * PIX-4-400015 * PIX-4-400023 * PIX-4-400028
If you are interested in additional messages about the traffic passing through your firewall, turn the following messages on as well:
* PIX-3-403503 Link down * PIX-4-402106 Received a packet that is not an IPSec packet * PIX-4-411001 Line protocol change * PIX-5-111001 * PIX-5-111004 * PIX-5-111005 * PIX-5-111007 * PIX-5-111008 * PIX-5-199001 * PIX-5-501101 * PIX-5-502101 * PIX-5-502103 * PIX-5-611103 * PIX-6-109005 * PIX-6-109006 * PIX-6-110001 * PIX-6-199002 * PIX-6-308001 * PIX-6-315011 * PIX-6-603108 * PIX-6-603109 * PIX-6-605004 * PIX-6-605005 * PIX-6-611101 * PIX-6-611102 * PIX-7-111009 * PIX-7-710001
We recommend to exclude the following messages:
* PIX-6-302010 * PIX-6-302014 * PIX-6-302016 * PIX-6-305011 * PIX-6-305012 * PIX-6-609001 * PIX-6-609002
TODO: - map above messages back to use-cases
Once your data is fed into Splunk, you should download the PIX Application, which defines field extractions for the most common PIX messages. If you want to set up your own field extractions, make sure you follow the Common Information Model when naming the fields. You can also find more information about field extractions in the Splunk documentation.
For firewalls, there is a set of common firewall reports that you should try for generic firewall reporting.
These are some PIX specific reports that you might be interested in:
- summary indexing