NAME
pix2dlf - convert PIX logs to the firewall DLF format
SYNOPSIS
pix2dlf
DESCRIPTION
This script expects syslog-type logs from a Cisco PIX firewall on
stdin. Messages with severity level informational (6) and up should be
logged. These look like e.g.:
Jan 15 12:58:37 pix1 %PIX-4-106543: Deny tcp src outside:1.2.3.4/1234
dst inside:2.3.4.5/80 by access-group "foo" Jan 16 10:37:09 pix1
%PIX-4-106543: Deny udp src outside:3.4.5.6/137 dst inside:4.5.6.7/137
by access-group "foo" Jan 17 08:43:46 pix1 %PIX-4-106543: Deny icmp src
outside:5.6.7.8 dst inside:6.7.8.9 (type 8, code 0) by access-group
"foo" Jan 24 00:07:39 pix1 %PIX-6-302000: Teardown TCP connection
178359 faddr 7.8.9.10/102 gaddr 8.9.10.11/21652 laddr 9.10.11.12/4107
duration 0:00:01 bytes 755 (TCP FINs) Jan 24 00:07:45 pix1
%PIX-6-302000: Teardown UDP connection for faddr 10.11.12.13/711 gaddr
11.12.13.14/1259 laddr 12.13.14.15/1259
That is
syslog_time_stamp log_host %PIX-Level-Message_number: Message_text
See also
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemint.htm#xtocid11
.
It will output DLF records in the Lire firewall DLF format on STDOUT.
For now, only messages
%PIX-2-106001 %PIX-2-106002 %PIX-2-106006 %PIX-2-106007 %PIX-3-106010
%PIX-3-106014 %PIX-6-106015 %PIX-1-106021 %PIX-4-106023 %PIX-6-302002
%PIX-6-302006 %PIX-6-302014 %PIX-6-302016
are used. Note that severity level 1 is ‘alert’, 6 is ‘
informational’. (0 is ‘emergency’, 7 is ‘debugging’.)
EXAMPLES
To process a log as produced by a Cisco PIX:
$ pix2dlf < pix.log
pix2dlf will be rarely used on its own, but is more likely called by
lr_log2report:
$ lr_log2report pix < /var/log/pix.log
BUGS
This script hasn’t yet been tested by a very wide range of log files,
and therefore is not mature yet.
Studying the Cisco documentation for any changes in the log file
format, e.g. between PIX Firewall Version 4.0 and 6.2, has not been
done yet.
We probably do not support any of the PIX products really fully. We’ve
found documentation for log files for PIX version 4.3, 4.4, 5.0, 5.1,
5.2, 5.3, 6.0, 6.1 and 6.2, but didn’t implement all peculiarities
found in these docs yet. This script strives to support PIX 6.2 in
most common cases.
When hacking on this script, beware that log syntax has changed during
PIX development. Furthermore, note that some rudimentary state is
represented in PIX logs. This state is not used yet in this script.
SEE ALSO
"Cisco PIX Firewall System Log Messages"
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm
VERSION
$Id: pix2dlf.in,v 1.25 2006/07/23 13:16:35 vanbaal Exp $
COPYRIGHT
Copyright (C) 2002 Stichting LogReport Foundation
<logreport@logreport.org>
This file is part of Lire.
Lire is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program (see COPYING); if not, check with
http://www.gnu.org/copyleft/gpl.html.
THANKS
Roberto dal Zilio and Ketil Adolfsen, for supplying PIX logs for
debugging. Anthony (acquant) for fixing bugs.
AUTHOR
Initial version by Wessel Dankers <wsl@logreport.org>, based upon
Lire’s cisco_acl2dlf script. Lots of later changes by Joost van Baal
<joostvb@logreport.org>.