PIX Logging Architecture version 2.00


What is PIX Logging Architecture?

The PIX Logging Architecture [PLA] is a free and open-source project allowing for correlation of Cisco PIX, Cisco FWSM and Cisco ASA Firewall Traffic, IDS and Informational Logs.

PIX Log message parsing is performed through the use of the PLA parsing module or PLA Msyslogd module. Centralization of the logs is provided using a MySQL database, supported by a Web-based frontend for Log Viewing, Searching, and Event Management. PIX Logging Architecture is completely coded in the Perl programming language, and uses various Perl modules including Perl::DBI and Perl::CGI.


What's New in PIX Logging Architecture version 2.0?

PIX Logging Architecture v2.x is a new major release of the PLA software and features the following:
    Database Redesign

    The PIX Logging Architecture Database has been redesigned for more efficient use of resources including faster loading of pages, speeding up searches and cross-table indexing. Several new tables have been added and some existing tables have been altered to enable new features to be supported.

    Extended Parsing Module

    The PIX Logging Architecture parsing module, which is responsible for extracting the necessary fields from the PIX system log messages, has been extended to gather new information including, but not limited to, Translations (Xlate's), Informative Log Messages (i.e. PIX Failover, PIX VPN Establishment, PIX Interface Up/Down, PIX PPPoE VPDN establishment and the like). All the parsing information needed by the PLA Parsing Daemon (pla_parsed) in order to extract data from the logs is now stored in the database, allowing for easy updates of the supported log messages without having to replace the parsing scripts. Moreover, the PLA Parsing Daemon runs as a daemonized Perl process in the background and reads straight and in quasi real-time from the system log files, so no more need to create crontab jobs like before and having to restart syslogd all the time.

    Parse-Time Filtering

    With the PIX Logging Architecture v2.00 version comes the ability to perform parse-time filtering. Parse-time filtering allows you to use the PLA web interface to define traffic which you do not wish you log (i.e. between specific IP pairs and ports, on specific protocols, on specific firewalls). The PLA Parse Daemon (pla_parsed) then checks the incoming firewall logs and will exclude any traffic which matches the parse-time filters. Using these parse filters allows to keep tabs on the database size and prevents you from having to log all data.

    Security Dashboard

    The PIX Logging Architecture front-end has been equipped with a "Security Dashboard" feature, allowing for the Top Dropped & Accepted Sources, Destinations and Services to be listed. Additionally a set of graphs provides a statistical analysis of the drops and accepts, protocol redistribution and cumulative amount of logged data over a 24-hour, 7-day, 30-day and 12 month time period on a per-firewall basis.

    Extended Search Parameters

    The traffic and IDS log search capabilities within PIX Logging Architecture have been extended to allow for more granular searching including searching based on protocol, more accurate time ranges and exact PIX log or IDS message names, allowing for the results to be refined and in turn decrease the time needed to display the results. PIX Logging Architecture v2.00 also introduces the ability to search the informational (audit) logs. Information log searches such as SSH logins, username searches, configuration change searches and the like can now be carried out easily.

    Optimized Traffic/IDS Log Display

    The extraction of additional data from the PIX logs has allowed PIX Logging Architecture to optimize it's Traffic Logs and IDS Logs displaying. It's now possible to perform host name resolutions on the display of these pages. Additional information gathered allows address translations (PAT/NAT Xlate's) to now be displayed as part of a unique PIX logged event. Redesign of the displayed logging information and introduction of icons creates a more user-friendly look and feel to the PIX Logging Architecture front-end.

    Information Logs and User-defined Queries

    Two new tabs have been introduced into the PIX Logging Architecture version 2.x dashboard.
    • The first of these two tabs is the information logs, which provides the user with information regarding the PIX Firewall but not directly to the traffic actions on this firewall. Messages such as PIX Failover, user authentication (vty/console), VPN establishment, VPDN PPPoE establishment are all logged to the information logs table of the PLA database. These logs provide tracability and accounting/auditing across the PIX firewall platform for the pre-defined system log messages.
    • The second tab which has been added is the "Queries" tab, which allows for user defined queries to be searched for throughout the PLA database. User defined queries are basically search parameters which have been saved and given a name so that they can be applied with the single click of a button. Basically a query is a set of user defined parameters which are used as input criteria for searching the PLA database, upon matching these criteria PLA will display the information requested. (This concept is very similar to CheckPoint SmartView Tracker's User-Defined Log Queries).


    Traffic Log Filtering and Descriptions

    Two new functions have been introduced in relation to PIX Traffic Logs.
    • The first function is called Traffic Log Display Filtering, which allows a set of parameters to be defined for PIX events which are logged to the PLA database but which should not be displayed to the user. Common examples are overhead traffic which is logged for regulatory or administrative purposes such as DNS, SMTP, HTTP Traffic. Applying Traffic Log Display Filtering allows this high-volume traffic to be omitted from the displayed log information and thus allows PIX Logging Architecture users to get a clearer and more indepth view of what the actual traffic situation is, making it easier to detect network anomalies such as worms, Trojans, automated scans and the like because the PIX Traffic Logs which are displayed in the front end already represent a filtered view after the predefined traffic has been omitted. One idea would be to reflect the corporate security policy in these filters to enable adminstrators to more easily detect violations of the policy. One main advantage of the PIX Logging Architecture Display Filtering is that it can be configured on a firewall by firewall basis so depending on the logging source, traffic log display filters may or may not be put into effect.
    • The second function is called Traffic Log Descriptions, which refers to the fact that a user can define descriptions for certain traffic patterns, making it more easily recoginizable when this traffic is detected. For example, if a new worm is detected to roam across the Internet or a new P2P program is being released out there, it is possible for a PIX Logging Architecture administrator to define the characteristics of this traffic so that when traffic logs are displayed that match the criteria, a description for this traffic will be given. A virtually unlimited number of descriptions can be configured for a single set of traffic patterns, allowing multiple potential matches to be made, which can be quite a common scenario when dealing with Trojan or worm traffic. Traffic Log Descriptions also include a classification, allowing PIX Logging Architecture Administrators to make a distinction between regular (normal) traffic patterns and anomalous (abnormal) traffic patterns.


    Sorting and Paging

    All PIX Logging Architecture pages which provide log listings (Traffic Logs, IDS Logs, Informational Logs, Queries as well as all search pages) are now equipped with a sorting and paging function, limiting the number of records (default: 50 records) being displayed at once and improving the efficiency at which logs can be analyzed by being able to sort the listing on any displayed field in and ascending or descending manner. The current paging feature allows for either 50, 100, 250, 500 or 1000 logs to be displayed per page, providing "Next", "Previous" and "Refresh" buttons for easy navigation between the different views.

    PLA Database Log Purging

    A configuration option has been added to allow for log purging from within the PIX Logging Architecture web-based front end. Several purging policies have been predefined and can be chosen and applied to either Traffic, IDS or Informational Logs. Log purging allows to clear old entries easily without having to manually edit the database.

    PLA Configuration Tab

    A PIX Logging Architecture Configuration tab has been added to the PIX Logging Architecture version 2.0 front-end. This configuration tab allows the for configuration of User-defined Queries, Traffic Log Display Filtering, Traffic Log Descriptions and Event/Incident Management. The PLA configuration interface allows for creating, searching and editing the different configurable options of PIX Logging Architecture version 2.0.







Screenshots

PIX Logging Architecture v2.00 in action:





Software Release / Downloads

Software Release Release Date Status
PIX Logging Architecture v2.00 March 26, 2007 Released - Latest Version
PIX Logging Architecture v2.00 Beta 1 November 01, 2006 Released - Obsolete Version


PIX Logging Architecture v2.00 has been released and is available for download.


Click here to download PIX Logging Architecture v2.00.


Note: Please note that the PIX Logging Architecture version 1.x release is no longer maintained nor supported.





Discussion Forum

*NEW* - PIX Logging Architecture v2.00 Discussion Forum

Through the PIX Logging Architecture v2.00 Discussion Forum, available on http://forum.logging-architecture.net/, you can get community support on any PIX Logging Architecture related questions as well as share experiences, knowledge and tweaks on PIX Logging Architecture.





Mailing Lists

Several Mailing Lists have been set up so that you can stay up to date with the latest announcements, feature requests, support information and bug tracking.

  • pixla-announce
       The pixla-announce mailing list features announcements of new and upcoming PIX Logging Architecture releases.
       [ Subscribe ]   [ pixla-announce Archives ]

  • pixla-bugs
       The pixla-bugs mailing list is available for the reporting and discussion of potential bugs
       [ Subscribe ]   [ pixla-bugs Archives ]

  • pixla-comments
       The pixla-comments mailing list allows feedback, suggestions and feature requests for PIX Logging Architecture.
       [ Subscribe ]   [ pixla-comments Archives ]

  • pixla-logs
       The pixla-logs mailing list is available for questions regarding log messages and supported types/devices.
       Maybe you've added your own (previously unsupported) log messages, share with them community!
       [ Subscribe ]   [ pixla-logs Archives ]

  • pixla-support
       The pixla-support mailing list is a help and support list for PIX Logging Architecture.
       [ Subscribe ]   [ pixla-support Archives ]





Contact Information

If you have any questions, thoughts, comments or ideas to share you can contact me either by email or by dropping me a message on my web site:

  • email: kris@logging-architecture.net
  • website: http://logging-architecture.net/kris




    • Support The PLA Project!

    What makes free open source software great and keeps it innovative is the fact that many people around the world have access to the software and have the opportunity to test it and use it as much as they want! And PIX Logging Architecture is no different! People can run it on their own networks and test it with their own system log data. What's even greater is that the more people test the PLA project the more feedback I'll get about new features to add as well as improvements to current features. So if you like the PLA project and wanna help us make a difference out here we would really appreciate you linking to the PIX Logging Architecture project's web site so that more people know about this project and can help improve it! One way of doing this is by putting the following code on your website which will display the small (120x18) banner shown below.

    <a href="http://www.logging-architecture.net"><img src="http://www.logging-architecture.net/pla_banner_small.jpg" alt="PIX Logging Architecture" border="0"></a>

    If you don't have a web site and you feel like helping us out, you can help us come up with new and useful features for the PIX Logging Architecture by dropping me a mail at kris@logging-architecture.net!



    Keep The PLA Project Running!

    PIX Logging Architecture is a software which is being provided for free and can be used without any obligations or monetary compensation. Nevertheless, costs (such as hosting as well as hardware investments) are involved in running the PIX Logging Architecture project and keeping it as up to date as possible and support the latest software and hardware technologies which we try to maintain through the means of donations and sponsored ads clicks. Your click to our sponsors as well as your donations to this project can make the difference in keeping this site and it's project up and running!







    PIX Logging Architecture Banner: PIX Logging Architecture    Last Update: 22-Mar-2008    SourceForge.net Logo

    Thanks to Viviane and Carlos Eduardo for helping me out with the design of this site!