cisco pix 501 traffic logging ?

[Erik M. Jensen]

Hi.

Is this firewall capable of logging traffic going through it ? Http
requests, non-encrypted mails etc ?

Best regards, Erik

[Brian Bergin]

Absolutely. Try:

logging on
logging trap informational
logging facility 23
logging host inside 192.168.1.x {where this IP is the IP of the syslog server}

Try Kiwi's Syslog at http://www.kiwisyslog.com.

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

[Walter Roberson]

In article <3e81dee5$0$52201$edfa...@dread16.news.tele.dk>,

Erik M. Jensen <erik_m...@hotmaill.com> wrote:

:Is this firewall capable of logging traffic going through it ? Http

:requests, non-encrypted mails etc ?

Well, you'd probably in any case want to set it up to send the
logging information to a syslog server, as the 501 doesn't have
anything resembling permanent storage (just an in-RAM logging buffer that
it feels free to overwrite as new entries come in.)

It can log URLs of outgoing http and ftp requests. It can log
IP source and destination of any connection. It cannot log
email addresses (incoming or outgoing.) My recollection is that
it cannot log URLs of incoming http or ftp, but I could be wrong
about that.
--
I don't know if there's destiny,
but there's a decision! -- Wim Wenders (WoD)

[Brian Bergin]

robe...@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote:

|My recollection is that
|it cannot log URLs of incoming http or ftp, but I could be wrong
|about that.

Well, sort of. It logs inbound IPs for web sites then the extended URL. For
example:

Mar 07 23:59:48 10.0.0.4 %PIX-5-304001: 65.32.81.5 Accessed URL
1.2.3.4:/images/tree_bullet.gif

So it does show you sort of the URL. If you have one web site on each IP then
logging inbound URL access is not hard. If, on the other hand, you put multiple
web sites on the same IP that becomes harder.

[Bjorn]

I have the Kiwi Syslog server running. My management wants a report on the
internet use, what, where, when etc. The Syslog server logs a lot of sites
but when I look at Top 20 Sites I only get hte IP address of the Pix! The
log also says Host Name: (IP address of the Pix). How do I get useful
statistics out of the log?

BG

"Brian Bergin" <see_f...@bottom.com> wrote in message
news:a8h48v86suhkob1ge...@4ax.com...

[Markus M. Schwarz]

Bjorn schrieb:

> I have the Kiwi Syslog server running. My management wants a report on the
> internet use, what, where, when etc. The Syslog server logs a lot of sites
> but when I look at Top 20 Sites I only get hte IP address of the Pix! The
> log also says Host Name: (IP address of the Pix). How do I get useful
> statistics out of the log?

An option would be using Websense - they offer a 30 day evaluation copy.
You can create a "transparent" policy allowing any traffic any time in
websense so that your users don't get the username / password request -
and no clue that there is running anything in the network watching their
steps. You can get extensive reports out of websense - top ten
destinations, top ten users, usage per hour, day, week ... - anything
your management could dream of.

Just check if your Pix license supports Websense - there should be
something like "Websense enabled" in the 'sh ver' output.

Just don't forget to install the "Websense Reporter" software, a
Websense without the Reporter would'nt report anything :D

And don't forget to check with your management and your companies
privacy policy before installing / running Websense - under some
legislations / policies tools like Websense Reporter are prohibited when
you intend to use them for employee-control.

Regards
Markus