[syslog-ng]PIX 2 MySQL

Ben Whittaker syslog-ng@lists.balabit.hu
Fri, 29 Oct 2004 11:10:38 -0700 (PDT) 

--0-603262575-1099073438=:59016
Content-Type: text/plain; charset=us-ascii

I would start limiting from the pix what messages it logs.
 
no logging message 106001 
 
for example

"Cary, Kim" <Kim.Cary@pepperdine.edu> wrote:
I just got logging going with syslog-ng in the last couple weeks (first 
client is our PIX 520). We can have up to 20Gb/day from our PIX. When 
compressed, the logs are up to 2Gb/day. We do want a record of all 
sessions for forensics & troubleshooting (already saved us hours of 
time) but the log format is quite verbose. Because of that verbosity, I 
was thinking of writing just key fields to a MySQL database as you 
suggest. However, I don't want to get into a situation where the only 
reporting is whatever report script I have time to write... If Joseph 
or someone else has a suggestion for fields to insert into the db and a 
reporting package to use, I'd appreciate it.

Kim Cary
InfraSec Admin
Pepperdine University

On Oct 29, 2004, at 5:43 AM, syslog-ng-request@lists.balabit.hu wrote:

>> server. The central server is currently piping the information to a 
>> Mysql
>> database. Each incoming device writes to its own table in the 
>> database. A
>> modification to this we would like to accomplish is to key various 
>> pieces
>> of information stored in the "message" field.
>>
>> For example, syslog messages sent from the mail servers will contain 
>> the
>> sender, recipient, delivery status in the "message" field. Our 
>> thought is
>> to key these pieces of information for quick lookup. Some of the 
>> systems
>> (Cisco Pix) are sending up to 5G of information a day. Another reason 
>> to
>> key the information.
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html


		
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
--0-603262575-1099073438=:59016
Content-Type: text/html; charset=us-ascii

<DIV>I would start limiting from the pix what messages it logs.</DIV>
<DIV>&nbsp;</DIV>
<DIV>no logging message 106001 </DIV>
<DIV>&nbsp;</DIV>
<DIV>for example<BR><BR><B><I>"Cary, Kim" &lt;Kim.Cary@pepperdine.edu&gt;</I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">I just got logging going with syslog-ng in the last couple weeks (first <BR>client is our PIX 520). We can have up to 20Gb/day from our PIX. When <BR>compressed, the logs are up to 2Gb/day. We do want a record of all <BR>sessions for forensics &amp; troubleshooting (already saved us hours of <BR>time) but the log format is quite verbose. Because of that verbosity, I <BR>was thinking of writing just key fields to a MySQL database as you <BR>suggest. However, I don't want to get into a situation where the only <BR>reporting is whatever report script I have time to write... If Joseph <BR>or someone else has a suggestion for fields to insert into the db and a <BR>reporting package to use, I'd appreciate it.<BR><BR>Kim Cary<BR>InfraSec Admin<BR>Pepperdine University<BR><BR>On Oct 29, 2004, at 5:43 AM, syslog-ng-request@lists.balabit.hu wrote:<BR><BR>&gt;&gt; server. The central server is
 currently piping the information to a <BR>&gt;&gt; Mysql<BR>&gt;&gt; database. Each incoming device writes to its own table in the <BR>&gt;&gt; database. A<BR>&gt;&gt; modification to this we would like to accomplish is to key various <BR>&gt;&gt; pieces<BR>&gt;&gt; of information stored in the "message" field.<BR>&gt;&gt;<BR>&gt;&gt; For example, syslog messages sent from the mail servers will contain <BR>&gt;&gt; the<BR>&gt;&gt; sender, recipient, delivery status in the "message" field. Our <BR>&gt;&gt; thought is<BR>&gt;&gt; to key these pieces of information for quick lookup. Some of the <BR>&gt;&gt; systems<BR>&gt;&gt; (Cisco Pix) are sending up to 5G of information a day. Another reason <BR>&gt;&gt; to<BR>&gt;&gt; key the information.<BR>_______________________________________________<BR>syslog-ng maillist - syslog-ng@lists.balabit.hu<BR>https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>Frequently asked questions at
 http://www.campin.net/syslog-ng/faq.html<BR><BR></BLOCKQUOTE><p>
		<hr size=1>Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotions.yahoo.com/new_mail/static/ease.html">Yahoo! Mail Address AutoComplete</a> - You start. We finish.
--0-603262575-1099073438=:59016--