[syslog-ng] PIX VPN logging

sawall sawall at gmail.com
Wed Aug 23 17:21:41 CEST 2006 

The following SEC (http://kodu.neti.ee/~risto/sec/) configs appear to work
to Monitor VPN tunnels on PIX version 7.x.  The first monitors for a
specific line from a firewall, if pattern2 is not matched within 10 minutes,
action1 occurs.  If pattern2 is matched, action2 occurs.  The second config
does basically the same thing, only it's watching for tunnel creation.  If
the attempt (pattern1) occurs and pattern2 doesn't occur within a minute, it
assumes that the attempt failed and the tunnel was not created.  If the
tunnel is successful (pattern2), then nothing happens.

So far this is working, however, I get a lot of "IPSec SA Idle Timeouts".  I
think we have some devices that just don't talk all the time, so the tunnel
comes down until they need it again.  So, I'm not going to put this out with
the other configs on BleedingSnort (http://www.bleedingsnort.com/sec/) just
yet.

If I gather more info, I'll let you know.

type=PairWithWindow
ptype=RegExp
pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713050: Group = (\S+),.*$
desc=Tunnel down from $1 to $2
action=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail
-s "%s" user at domain.com; delete vpn_$1
ptype2=RegExp
pattern2=($1)\s%(?:PIX|ASA)-5-713120:\sGroup\s=\s($2),.*$
desc2=Tunnel down/up ($1 to $2)
action2=create vpn_$1; add vpn_$1 %t; add vpn_$1 $0; report vpn_$1 /bin/mail
-s "%s" user at domain.com; delete vpn_$1
window=600

type=PairWithWindow
ptype=RegExp
pattern=\s*.*\s(\S+)\s%(?:PIX|ASA)-5-713041:\sIP\s=\s(\S+),.*$
desc=Tunnel attempt unsuccessful ($1 to $2)
action=create vpn2_$1; add vpn2_$1 %t; add vpn2_$1 $0; report vpn2_$1
/bin/mail -s "%s" user at domain.com; delete vpn2_$1
ptype2=RegExp
pattern2=($1)\s%(?:PIX|ASA)-3-713119:\sGroup\s=\s($2),.*PHASE\s1\sCOMPLETED
desc2=Tunnel creation successful ($1 to $2)
action2=none
window=60

Thanks,
Chris


On 8/11/06, Brian Loe <knobdy at gmail.com> wrote:
>
> Anyone here have a complete list of VPN related syslog messages they'd
> like to share?
>
> I'm essentially wanting to monitor for site-to-site tunnels going down
> so that I can alert on them, but having a hell of a time finding
> exactly what I want to look for on the Cisco site. Part of the problem
> is that I won't have an example of such an event until it happens -
> and I've only just now implemented a syslog server capable of
> maintaining the logs..
>
> At any rate, if anyone here is monitoring for this as well and you're
> willing to share...let me know!
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060823/ea476baa/attachment.html

More information about the syslog-ng mailing list