The following SEC (http://kodu.neti.ee/~risto/sec/) configs appear to work to Monitor VPN tunnels on PIX version 7.x. The first monitors for a specific line from a firewall, if pattern2 is not matched within 10 minutes, action1 occurs. If pattern2 is matched, action2 occurs. The second config does basically the same thing, only it's watching for tunnel creation. If the attempt (pattern1) occurs and pattern2 doesn't occur within a minute, it assumes that the attempt failed and the tunnel was not created. If the tunnel is successful (pattern2), then nothing happens. So far this is working, however, I get a lot of "IPSec SA Idle Timeouts". I think we have some devices that just don't talk all the time, so the tunnel comes down until they need it again. So, I'm not going to put this out with the other configs on BleedingSnort (http://www.bleedingsnort.com/sec/) just yet. If I gather more info, I'll let you know. type=PairWithWindow ptype=RegExp pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713050: Group = (\S+),.*$ desc=Tunnel down from $1 to $2 action=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail -s "%s" user@domain.com; delete vpn_$1 ptype2=RegExp pattern2=($1)\s%(?:PIX|ASA)-5-713120:\sGroup\s=\s($2),.*$ desc2=Tunnel down/up ($1 to $2) action2=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail -s "%s" user@domain.com; delete vpn_$1 window=600 type=PairWithWindow ptype=RegExp pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713041:\sIP\s=\s(\S+),.*$ desc=Tunnel attempt unsuccessful ($1 to $2) action=create vpn2_$1; add vpn2_$1 %t; add vpn2_$1 $0; report vpn2_$1 /bin/mail -s "%s" user@domain.com; delete vpn2_$1 ptype2=RegExp pattern2=($1)\s%(?:PIX|ASA)-3-713119:\sGroup\s=\s($2),.*PHASE\s1\sCOMPLETED desc2=Tunnel creation successful ($1 to $2) action2=none window=60 Thanks, Chris On 8/11/06, Brian Loe <knobdy@gmail.com> wrote:
Anyone here have a complete list of VPN related syslog messages they'd like to share?
I'm essentially wanting to monitor for site-to-site tunnels going down so that I can alert on them, but having a hell of a time finding exactly what I want to look for on the Cisco site. Part of the problem is that I won't have an example of such an event until it happens - and I've only just now implemented a syslog server capable of maintaining the logs..
At any rate, if anyone here is monitoring for this as well and you're willing to share...let me know! _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html