The following SEC (<a href="http://kodu.neti.ee/~risto/sec/">http://kodu.neti.ee/~risto/sec/</a>) configs appear to work to Monitor VPN tunnels on PIX version 7.x. The first monitors for a specific line from a firewall, if pattern2 is not matched within 10 minutes, action1 occurs. If pattern2 is matched, action2 occurs. The second config does basically the same thing, only it's watching for tunnel creation. If the attempt (pattern1) occurs and pattern2 doesn't occur within a minute, it assumes that the attempt failed and the tunnel was not created. If the tunnel is successful (pattern2), then nothing happens.
<br><br>So far this is working, however, I get a lot of "IPSec SA Idle Timeouts". I think we have some devices that just don't talk all the time, so the tunnel comes down until they need it again. So, I'm not going to put this out with the other configs on BleedingSnort (
<a href="http://www.bleedingsnort.com/sec/">http://www.bleedingsnort.com/sec/</a>) just yet.<br><br>If I gather more info, I'll let you know.<br><br>type=PairWithWindow<br>ptype=RegExp<br>pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713050: Group = (\S+),.*$
<br>desc=Tunnel down from $1 to $2<br>action=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail -s "%s" <a href="mailto:user@domain.com">user@domain.com</a>; delete vpn_$1<br>ptype2=RegExp<br>pattern2=($1)\s%(?:PIX|ASA)-5-713120:\sGroup\s=\s($2),.*$
<br>desc2=Tunnel down/up ($1 to $2)<br>action2=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail -s "%s" <a href="mailto:user@domain.com">user@domain.com</a>; delete vpn_$1<br>window=600<br><br>
type=PairWithWindow<br>ptype=RegExp<br>pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713041:\sIP\s=\s(\S+),.*$<br>desc=Tunnel attempt unsuccessful ($1 to $2)<br>action=create vpn2_$1; add vpn2_$1 %t; add vpn2_$1 $0; report vpn2_$1 /bin/mail -s "%s"
<a href="mailto:user@domain.com">user@domain.com</a>; delete vpn2_$1<br>ptype2=RegExp<br>pattern2=($1)\s%(?:PIX|ASA)-3-713119:\sGroup\s=\s($2),.*PHASE\s1\sCOMPLETED<br>desc2=Tunnel creation successful ($1 to $2)<br>action2=none
<br>window=60<br><br>Thanks,<br>Chris<br><br><br><div><span class="gmail_quote">On 8/11/06, <b class="gmail_sendername">Brian Loe</b> <<a href="mailto:knobdy@gmail.com">knobdy@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Anyone here have a complete list of VPN related syslog messages they'd<br>like to share?<br><br>I'm essentially wanting to monitor for site-to-site tunnels going down<br>so that I can alert on them, but having a hell of a time finding
<br>exactly what I want to look for on the Cisco site. Part of the problem<br>is that I won't have an example of such an event until it happens -<br>and I've only just now implemented a syslog server capable of<br>maintaining the logs..
<br><br>At any rate, if anyone here is monitoring for this as well and you're<br>willing to share...let me know!<br>_______________________________________________<br>syslog-ng maillist - <a href="mailto:syslog-ng@lists.balabit.hu">
syslog-ng@lists.balabit.hu</a><br><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Frequently asked questions at <a href="http://www.campin.net/syslog-ng/faq.html">
http://www.campin.net/syslog-ng/faq.html</a><br><br></blockquote></div><br>