PIX Logging Architecture v2.00 - Release Information Features PIX Logging Architecture v2.00 features the following: Cisco ASA, PIX and FWSM Log Parsing [Preconfigured Log Message List] Centralized Database Storage Extensive Traffic, IDS and Information Log Viewing Extensive Traffic, IDS and Information Log Searching Display Filters to omit pre-defined traffic from being displayed Traffic Descriptions allows pre-defined traffic from being identified Traffic Queries allows search parameters to be saved for future use Parse Filters allow you to chose what to log to the PLA database Log Purging prevents the database from growing too fast Extended Parsing Daemon with Optimized Memory Support for faster log treatment Statistics and Graphs allowing for a clear overview of logged traffic Comprehensive Security Dashboard providing Top Sources, Destinations, Sources, Drops and Accepts, Protocols Paging and Sorting on all log-related pages allowing for efficient log analysis For a more detailed overview of the features, please refer to the PIX Logging Architecture v2.00 main page. Changes since PLA v2.00 Beta 1 Whilst PIX Logging Architecture v2.00 brings about quite a few important (-to say the least-) changes for those who have up til now only used PIX Logging Architecture v1.01, there's also been several important changes which have been made since PLA v2.00 Beta 1. I'd like to take this opportunity to thank those who have been working with PLA v2.00 Beta 1 and have provided me with very useful feedback, comments and I'm happy to say only a limited number of bugs! Changes to PIX Logging Architecture v2.00 after PIX Logging Architecture v2.00 Beta 1: Bug Fixes Component Description PLA Parsing Daemon An undefined subroutine "writedb" was called instead of calling "write_db" within one of the sections of the PLA Parsing Engine. This shouldn't have affected most people as this section was not enabled by default. PLA Web Front-End A double quote was missing at the end of one of the HTML statements within the pix_config_log_purge page, causing some execution errors of the log purging in certain specific cases. Extensions/Enhancements to Existing Features Component Description PLA Web Front-End The Traffic Display Filter concept has been expanded to now also be applicable to search results. An option has been added to the PIX Traffic Logs Search page allowing a user to enable or disable display filters. The default behavior is still to disable them however now the user has to option on whether to view search results with the display filters enabled. New Features Component Description PLA Web Front-End A completely new section has been added entitled "Security Dashboard", which gives an overview of the situation based on the log entries. It provides data on the Top 5 Dropped Source Addresses, Destination Addresses, Services as well as the Top 5 Accepted Source Addresses, Destination Address and Services. Additional a set of graphs provides a 24 hour statistical overview of the number of drops and accepts, the protocol redistribution and the total number of packets for a given firewall. Each of these graphs forms a link to a set of graphs showing a historical evolution for those same statistics over the last 24 hours, 7 days, 30 days and 12 months. [screenshot 1] [screenshot 2] PLA Web Front-End All PLA sections enabling a user to enter a date have now been equipped with a handy calendar drop-down. Whenever clicking on any of the date selection fields (year, month or date), the user will see a calender pop up with today's date highlighted and can easily navigate through the days and the months in order to select a date. [screenshot 1] PLA Web Front-End All PLA sections displaying Traffic, IDS or Informational logs (including Queries and Search results) have now been equiped with a paging feature, allowing a user to define the number of logs to display on the page. You can select between 50, 100, 250, 500 and 1000 log entries per page. Subsequent and preceding pages can be visited using the "Next" and "Previous" buttons respectively. Also a "Refresh" button has been added to refresh the current selected view. [screenshot 1] [screenshot 2] PLA Web Front-End In order to allow for more swift and efficient treatment of log records, all PLA sections displaying Traffic, IDS or Informational logs (including Queries and Search results) have now been equiped with a sorting feature, allowing a user to define on which column to sort the data (i.e. Log Time, Source IP, Destination IP, Source Port, Destination Port, Protocol, etc..). Additionally each of the sorting options can be selected in Ascending as well as Descending order. [screenshot 1] [screenshot 2] PLA Web Front-End In much of the same way as the Security Dashboard uses historical graphs, a graphing feature (called "PLA Graph") has been added to the Specific Log Details pages (PIX Traffic ID's) allowing to see the historical evolution and perform statistical analysis of occurrences of a specific traffic log variable such as (Translated) Source IP, (Translated) Source Port, (Translated) Destination IP, (Translated) Destination Port and provide a set of graphs representing the 24 hour, 7 days, 30 days and 12 month occurrences of this item. [screenshot 1] Supported Log Messages PIX Logging Architecture v2.00 supports log messages from Cisco ASA 7.x, Cisco PIX 6.x, Cisco PIX 7.x, Cisco FWSM 2.x and Cisco FWSM 3.x. Please note that the supported log message list is continuously increasing as the PIX Logging Architecture users give me feedback on new log messages as well as out of the testing I'm carrying out with various devices and generating different types of traffic. Therefore I try to regularly release an update of supported log messages as well as provide an SQL file which can be easily imported into the PLA database containing all supported log messages including the latest ones. For more information on the supported log messages and in order to obtain the latest copy of the log messages file, please refer to the "PIX Logging Architecture v2.00: Preconfigured Log Messages" page. Screenshots Some screenshots of PIX Logging Architecture v2.00 in action:       Main Log Display Specific Log Details Specific Log Details Graph       Display Filter List Create Display Filter Search Logs       Informational Logs Global Security Dashboard Drops & Accepts Drilldown More screenshots can be found at this page. Requirements Here's a summary of what you need to run PIX Logging Architecture v2.00: Cisco PIX Firewall, Cisco ASA or FireWall Services Module (FWSM) Logging host with syslog Perl (and several Perl modules) MySQL Database Apache Web Server PIX Logging Architecture (PLA) Parsing Daemon (included in PLA v2.00 package) PIX Logging Architecture (PLA) Database SQL File (included in PLA v2.00 package) PIX Logging Architecture (PLA) Web-based Front End (included in PLA v2.00 package) I run PIX Logging Architecture on Red Hat, Debian and SuSE Linux however there should be no issue to run it on other Linux and POSIX distributions (Solaris, etc...). For a comprehensive list of PIX Logging Architecture v2.00 requirements please refer to the "PIX Logging Architecture v2.00 Installation, Configuration and Usage Guide" referenced in the Documentation section. Documentation I know documentation is a very important item when it comes to installing new software that you may not be used to, so I've tried to be as clear and comprehensive as possible in the documentation which I've written. At present there's only one document available which details various steps of the PIX Logging Architecture installation, configuration and usage. Please Note: The online documentation referenced here is always the latest version and should overrule / obsolete any documentation providing as part of the PLA packages. PIX Logging Architecture v2.00 - Installation, Configuration and Usage Guide [All-In-One HTML] (3 MB) [ZIP] (2 MB) If you feel like there's any sections missing or improvements can be made, please let me know so I can try to modify the documentation accordingly. Moreover, possibly recurring remarks/improvements/comments regarding the documentation, installation, configuration and usage of PIX Logging Architecture may be assembled into a common FAQ in the future. Downloads The following downloads are available for PIX Logging Architecture v2.00: PIX Logging Architecture v2.00 Package [pla-v2.00.tar.gz] (90Kb) This package includes the PLA Parsing Daemon, PLA Database Creation Script and PLA Web-based Front End files. Note: The documentation is no longer included in the PLA Package, but is available for viewing (HTML) or downloading (ZIP) at the "Documentation" section of this page. Note: If you're upgrading to PIX Logging Architecture v2.00 from PIX Logging Architecture v2.00 Beta 1, please refer to the following URL: http://www.logging-architecture.net/pla2/release/docs/INSTALL.html#4.1 PIX Logging Architecture v2.00 is provided under the open source, free software GNU Public License v2 [GPLv2]. For more information on this license please refer to the following website: http://www.gnu.org/licenses/gpl-faq.html. Useful Resources and Links Some people have shared their experiences with PIX Logging Architecture through the installation guides, configuration tips and tweaks. I'm grateful for these people making this contribution to the project and perhaps the following resources may be very useful to you: PIX Logging Architecture on Fedora 8 - Install Guide [Author: Joey Rego] [Added: 02-Apr-2008] Link: http://www.logging-architecture.net/pla2/release/docs/PLA_on_Fedora_8_Install_Guide.pdf A step-by-step guide on how to install PIX Logging Architecture v2 on Fedora 8. PIX Logging Architecture Syslog Configuration [Author: Better Tech Info] [Added: 02-Apr-2008] Link: http://www.bettertechinfo.com/sec/pla-sylog-configurations/ This article explains how to configure PIX Logging Architecture for use with other syslog daemons such as rsyslogd and syslog-ng. PIX Logging Architecture Database Setup [Author: Better Tech Info] [Added: 02-Apr-2008] Link: http://www.bettertechinfo.com/pla-database-setup/ This article explains how to set up the PIX Logging Architecture database as well as how to use the syslog_messages table created by Better Tech Info for extending the number of PLA supported PIX log messages. Support To allow for community support, I've created a few mailing lists regarding PIX Logging Architecture. I encourage you to look here first to find out whether anyone else has posted information which may answer you question. pixla-announce    The pixla-announce mailing list features announcements of new and upcoming PIX Logging Architecture releases.    [ Subscribe ]   [ pixla-announce Archives ] pixla-bugs    The pixla-bugs mailing list is available for the reporting and discussion of potential bugs    [ Subscribe ]   [ pixla-bugs Archives ] pixla-comments    The pixla-comments mailing list allows feedback, suggestions and feature requests for PIX Logging Architecture.    [ Subscribe ]   [ pixla-comments Archives ] pixla-logs    The pixla-logs mailing list is available for questions regarding log messages and supported types/devices.    Maybe you've added your own (previously unsupported) log messages, share with them community!    [ Subscribe ]   [ pixla-logs Archives ] pixla-support    The pixla-support mailing list is a help and support list for PIX Logging Architecture.    [ Subscribe ]   [ pixla-support Archives ] *NEW* - PIX Logging Architecture v2.00 Discussion Forum Through the PIX Logging Architecture v2.00 Discussion Forum, available on http://forum.logging-architecture.net/, you can get community support on any PIX Logging Architecture related questions as well as share experiences, knowledge and tweaks on PIX Logging Architecture. If the mailing lists or forum don't provide the information you're looking for or you have any thoughts, comments or ideas to share you can contact me (Kris Philipsen) either by email or by dropping me a message on my web site: email: kris@logging-architecture.net website: http://logging-architecture.net/kris P.S. Please note that in my spare time I also have a full time job ;) and thus if I don't answer you immediately it's because I'm quite busy usually and traveling all over the place. PIX Logging Architecture Banner:    Last Update: 22-Mar-2008    Thanks to Viviane and Carlos Eduardo for helping me out with the design of this site!