The following SEC (<a href="http://kodu.neti.ee/~risto/sec/">http://kodu.neti.ee/~risto/sec/</a>) configs appear to work to Monitor VPN tunnels on PIX version 7.x.&nbsp; The first monitors for a specific line from a firewall, if pattern2 is not matched within 10 minutes, action1 occurs.&nbsp; If pattern2 is matched, action2 occurs.&nbsp; The second config does basically the same thing, only it's watching for tunnel creation.&nbsp; If the attempt (pattern1) occurs and pattern2 doesn't occur within a minute, it assumes that the attempt failed and the tunnel was not created.&nbsp; If the tunnel is successful (pattern2), then nothing happens.
<br><br>So far this is working, however, I get a lot of &quot;IPSec SA Idle Timeouts&quot;.&nbsp; I think we have some devices that just don't talk all the time, so the tunnel comes down until they need it again.&nbsp; So, I'm not going to put this out with the other configs on BleedingSnort (
<a href="http://www.bleedingsnort.com/sec/">http://www.bleedingsnort.com/sec/</a>) just yet.<br><br>If I gather more info, I'll let you know.<br><br>type=PairWithWindow<br>ptype=RegExp<br>pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713050: Group = (\S+),.*$
<br>desc=Tunnel down from $1 to $2<br>action=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail -s &quot;%s&quot; <a href="mailto:user@domain.com">user@domain.com</a>; delete vpn_$1<br>ptype2=RegExp<br>pattern2=($1)\s%(?:PIX|ASA)-5-713120:\sGroup\s=\s($2),.*$
<br>desc2=Tunnel down/up ($1 to $2)<br>action2=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail -s &quot;%s&quot; <a href="mailto:user@domain.com">user@domain.com</a>; delete vpn_$1<br>window=600<br><br>
type=PairWithWindow<br>ptype=RegExp<br>pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713041:\sIP\s=\s(\S+),.*$<br>desc=Tunnel attempt unsuccessful ($1 to $2)<br>action=create vpn2_$1; add vpn2_$1 %t; add vpn2_$1 $0; report vpn2_$1 /bin/mail -s &quot;%s&quot; 
<a href="mailto:user@domain.com">user@domain.com</a>; delete vpn2_$1<br>ptype2=RegExp<br>pattern2=($1)\s%(?:PIX|ASA)-3-713119:\sGroup\s=\s($2),.*PHASE\s1\sCOMPLETED<br>desc2=Tunnel creation successful ($1 to $2)<br>action2=none
<br>window=60<br><br>Thanks,<br>Chris<br><br><br><div><span class="gmail_quote">On 8/11/06, <b class="gmail_sendername">Brian Loe</b> &lt;<a href="mailto:knobdy@gmail.com">knobdy@gmail.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Anyone here have a complete list of VPN related syslog messages they'd<br>like to share?<br><br>I'm essentially wanting to monitor for site-to-site tunnels going down<br>so that I can alert on them, but having a hell of a time finding
<br>exactly what I want to look for on the Cisco site. Part of the problem<br>is that I won't have an example of such an event until it happens -<br>and I've only just now implemented a syslog server capable of<br>maintaining the logs..
<br><br>At any rate, if anyone here is monitoring for this as well and you're<br>willing to share...let me know!<br>_______________________________________________<br>syslog-ng maillist&nbsp;&nbsp;-&nbsp;&nbsp;<a href="mailto:syslog-ng@lists.balabit.hu">
syslog-ng@lists.balabit.hu</a><br><a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>Frequently asked questions at <a href="http://www.campin.net/syslog-ng/faq.html">
http://www.campin.net/syslog-ng/faq.html</a><br><br></blockquote></div><br>