[PLA] - PIX Logging Architecture

PIX Logging Architecture v2.00 - Preconfigured Log Messages

General Information

PIX Logging Architecture v2.00 Beta 1 uses a concept of preconfigured log messages in order to recognize subsequent log messages and thus knows how to treat them. The PLA Parsing Daemon (pla_parsed) is in charge of parsing the log entries as they come into the system log (syslog) file on the logging host and makes a parsing decision based on the preconfigured log message information, which is stored in the "syslog_message" table within the PLA database.

PLA v2.00 Beta 1 differentiates between 4 different entries within the syslog_message table:

Traffic Logs (MessageType: 1)
Based on Regular Expression (regex) statements within the log message criteria, data is selectively extracted from incoming log messages and written to their corresponding fields in the PLA Database's "traffic_log" table.
IDS Logs (MessageType: 2)
Based on Regular Expression (regex) statements within the log message criteria, data is selectively extracted from incoming log messages and written to their corresponding fields in the PLA Database's "ids_log" table.
Informational Logs (MessageType: 0 | MessageAction: 1)
Based on the Message ID (i.e. PIX-3-403503), a decision is made to include the entire informational part of the message (everything that follows the Message ID, in this case PIX-3-403503).
Excluded Logs (MessageType:0 | MessageAction: 0)
Based on the Message ID (i.e. PIX-6-302010), a decision is made to exclude this log, discard it and continue to the next incoming log.

PIX Logging Architecture v2.00 supports log messages from the following devices:

Cisco ASA (TESTED AND CONFIRMED)
Cisco PIX v6.x (TESTED AND CONFIRMED)
Cisco PIX v7.x (TESTED AND CONFIRMED)
Cisco FWSM 2.x (TESTED AND CONFIRMED)
Cisco FWSM 3.x (TESTED AND CONFIRMED)

While various log types are preconfigured within PIX Logging Architecture v2.00, it is perfectly possibly to write your own and add them to the "syslog_message" table in the database. While Informational and Excluded logs are easier to implement, the main difficulty with defining the Traffic an IDS predefined log criteria lies in the fact that you'll need to get the Regular Expression right and then figure out the correct positions within the regular expression that you're going to pull the data out of. But if you're accustomed with using Regex a bit you shouldn't have a problem. Also, if you successfully add any new log messages, don't hesitate to drop me a line (kris@logging-architecture.net) with the details (just do a SELECT of the concerned row(s) out of the "syslog_message" table) and I'll add it to the next release of PIX Logging Architecture v2.00. For more information on writing your own parsing criteria, I'd suggest you to refer to the PIX Logging Architecture v2.00 - Installation, Configuration and Usage Guide, which can be found in the "Documentation" section on the PIX Logging Architecture v2.00 release information page.

The following sections list the log messages which are supported in the latest release of the PIX Logging Architecture v2.00 syslog_message table for Cisco PIX, FWSM and ASA logs. I try to keep the syslog_message table as up to date as possible with the feedback I get from different users and tests I carry out myself on various components. In order to keep your syslog_message table up to date, I've created a syslog_message file which is linked below containing the latest signatures:

Latest Syslog Messages File

Creation Date:

Creation Author:

Syslog Message Count:

Download Syslog Message File:

syslog_message-20070325.sql.txt

mysql -u -p < syslog_message-YYYYMMDD.sql.txt

PIX Firewall

Preconfigured PIX Traffic Log Messages

PIX-1-106100 (added on November 12, 2006)
PIX-2-106100 (added on November 12, 2006)
PIX-3-313001
PIX-3-710003
PIX-4-106023
PIX-6-106015
PIX-6-302013
PIX-6-302015
PIX-7-710002
PIX-7-710005

Preconfigured PIX IDS Log Messages

PIX-4-400008
PIX-4-400010
PIX-4-400011
PIX-4-400014
PIX-4-400015
PIX-4-400023
PIX-4-400028 (added on November 12, 2006)

Preconfigured PIX Informational Log Messages

PIX-3-403503
PIX-4-402106 (added on November 12, 2006)
PIX-4-411001
PIX-5-111001
PIX-5-111004
PIX-5-111005
PIX-5-111007
PIX-5-111008
PIX-5-199001
PIX-5-501101
PIX-5-502101
PIX-5-502103
PIX-5-611103
PIX-6-109005
PIX-6-109006
PIX-6-110001
PIX-6-199002
PIX-6-308001 (added on November 12, 2006)
PIX-6-315011
PIX-6-603108
PIX-6-603109
PIX-6-605004
PIX-6-605005
PIX-6-611101
PIX-6-611102
PIX-7-111009
PIX-7-710001

Excluded PIX Log Messages

PIX-6-302010
PIX-6-302014
PIX-6-302016
PIX-6-305011
PIX-6-305012
PIX-6-609001
PIX-6-609002

ASA Firewall

Preconfigured ASA Traffic Log Messages

ASA-1-106100 (added on November 12, 2006)
ASA-2-106100 (added on November 12, 2006)
ASA-3-313001 (added on November 12, 2006)
ASA-3-710003 (added on November 12, 2006)
ASA-4-106023 (added on November 12, 2006)
ASA-6-106015 (added on November 12, 2006)
ASA-6-302013 (added on November 12, 2006)
ASA-6-302015 (added on November 12, 2006)
ASA-7-710002 (added on November 12, 2006)
ASA-7-710005 (added on November 12, 2006)

Preconfigured ASA IPS Log Messages

ASA-4-400008 (added on November 12, 2006)
ASA-4-400010 (added on November 12, 2006)
ASA-4-400011 (added on November 12, 2006)
ASA-4-400014 (added on November 12, 2006)
ASA-4-400015 (added on November 12, 2006)
ASA-4-400023 (added on November 12, 2006)
ASA-4-400028 (added on November 12, 2006)

Preconfigured ASA Informational Log Messages

ASA-1-101001 (added on November 12, 2006)
ASA-1-101002 (added on November 12, 2006)
ASA-1-101003 (added on November 12, 2006)
ASA-1-101004 (added on November 12, 2006)
ASA-1-104001 (added on November 12, 2006)
ASA-1-104002 (added on November 12, 2006)
ASA-1-111111 (added on November 12, 2006)
ASA-3-403503 (added on November 12, 2006)
ASA-4-402106 (added on November 12, 2006)
ASA-4-411001 (added on November 12, 2006)
ASA-5-111004 (added on November 12, 2006)
ASA-5-111005 (added on November 12, 2006)
ASA-5-111007 (added on November 12, 2006)
ASA-5-111008 (added on November 12, 2006)
ASA-5-199001 (added on November 12, 2006)
ASA-5-501101 (added on November 12, 2006)
ASA-5-502101 (added on November 12, 2006)
ASA-5-502102 (added on November 12, 2006)
ASA-5-502103 (added on November 12, 2006)
ASA-5-611103 (added on November 12, 2006)
ASA-6-109005 (added on November 12, 2006)
ASA-6-109006 (added on November 12, 2006)
ASA-6-110001 (added on November 12, 2006)
ASA-6-199002 (added on November 12, 2006)
ASA-6-308001 (added on November 12, 2006)
ASA-6-315011 (added on November 12, 2006)
ASA-6-603108 (added on November 12, 2006)
ASA-6-603109 (added on November 12, 2006)
ASA-6-605004 (added on November 12, 2006)
ASA-6-605005 (added on November 12, 2006)
ASA-6-611101 (added on November 12, 2006)
ASA-6-611102 (added on November 12, 2006)
ASA-6-720002 (added on November 12, 2006)
ASA-6-720003 (added on November 12, 2006)
ASA-7-111009 (added on November 12, 2006)
ASA-7-710001 (added on November 12, 2006)

Excluded ASA Log Messages

ASA-6-302010 (added on November 12, 2006)
ASA-6-302014 (added on November 12, 2006)
ASA-6-302016 (added on November 12, 2006)
ASA-6-305011 (added on November 12, 2006)
ASA-6-305012 (added on November 12, 2006)
ASA-6-609001 (added on November 12, 2006)
ASA-6-609002 (added on November 12, 2006)

FireWall Services Module (FWSM) 2.x

Preconfigured FWSM 2.x Traffic Log Messages

FWSM-4-106023 (added on November 12, 2006)
FWSM-6-302013 (added on November 12, 2006)
FWSM-6-302015 (added on November 12, 2006)
FWSM-6-302020 (added on November 12, 2006)

Preconfigured FWSM 2.x IDS Log Messages

None Available Yet
Preconfigured FWSM 2.x Informational Log Messages

None Available Yet
Excluded FWSM 2.x Log Messages

None Available Yet

FireWall Services Module (FWSM) 3.x

Preconfigured FWSM 3.x Traffic Log Messages

FWSM-3-106100
FWSM-3-710003
FWSM-4-106100
FWSM-6-106015 (added on November 07, 2006)
FWSM-6-302013
FWSM-6-302015

Preconfigured FWSM 3.x IDS Log Messages

None Available Yet
Preconfigured FWSM 3.x Informational Log Messages

FWSM-5-111008 (added on November 07, 2006)
FWSM-6-113004 (added on November 07, 2006)
FWSM-7-111009 (added on November 07, 2006)

Excluded FWSM 3.x Log Messages

FWSM-5-304001
FWSM-6-302010 (added on November 07, 2006)
FWSM-6-302014
FWSM-6-302016
FWSM-6-305009 (added on November 07, 2006)
FWSM-6-305010 (added on November 07, 2006)

PIX Logging Architecture Banner:

Last Update: 26-Mar-2007

Thanks to Viviane and Carlos Eduardo for helping me out with the design of this site!


PIX Logging Architecture v2.00 - Preconfigured Log Messages General Information PIX Logging Architecture v2.00 Beta 1 uses a concept of preconfigured log messages in order to recognize subsequent log messages and thus knows how to treat them. The PLA Parsing Daemon (pla_parsed) is in charge of parsing the log entries as they come into the system log (syslog) file on the logging host and makes a parsing decision based on the preconfigured log message information, which is stored in the "syslog_message" table within the PLA database. PLA v2.00 Beta 1 differentiates between 4 different entries within the syslog_message table: Traffic Logs (MessageType: 1) Based on Regular Expression (regex) statements within the log message criteria, data is selectively extracted from incoming log messages and written to their corresponding fields in the PLA Database's "traffic_log" table. IDS Logs (MessageType: 2) Based on Regular Expression (regex) statements within the log message criteria, data is selectively extracted from incoming log messages and written to their corresponding fields in the PLA Database's "ids_log" table. Informational Logs (MessageType: 0 \| MessageAction: 1) Based on the Message ID (i.e. PIX-3-403503), a decision is made to include the entire informational part of the message (everything that follows the Message ID, in this case PIX-3-403503). Excluded Logs (MessageType:0 \| MessageAction: 0) Based on the Message ID (i.e. PIX-6-302010), a decision is made to exclude this log, discard it and continue to the next incoming log. PIX Logging Architecture v2.00 supports log messages from the following devices: Cisco ASA (TESTED AND CONFIRMED) Cisco PIX v6.x (TESTED AND CONFIRMED) Cisco PIX v7.x (TESTED AND CONFIRMED) Cisco FWSM 2.x (TESTED AND CONFIRMED) Cisco FWSM 3.x (TESTED AND CONFIRMED) While various log types are preconfigured within PIX Logging Architecture v2.00, it is perfectly possibly to write your own and add them to the "syslog_message" table in the database. While Informational and Excluded logs are easier to implement, the main difficulty with defining the Traffic an IDS predefined log criteria lies in the fact that you'll need to get the Regular Expression right and then figure out the correct positions within the regular expression that you're going to pull the data out of. But if you're accustomed with using Regex a bit you shouldn't have a problem. Also, if you successfully add any new log messages, don't hesitate to drop me a line (kris@logging-architecture.net) with the details (just do a SELECT of the concerned row(s) out of the "syslog_message" table) and I'll add it to the next release of PIX Logging Architecture v2.00. For more information on writing your own parsing criteria, I'd suggest you to refer to the PIX Logging Architecture v2.00 - Installation, Configuration and Usage Guide, which can be found in the "Documentation" section on the PIX Logging Architecture v2.00 release information page. The following sections list the log messages which are supported in the latest release of the PIX Logging Architecture v2.00 syslog_message table for Cisco PIX, FWSM and ASA logs. I try to keep the syslog_message table as up to date as possible with the feedback I get from different users and tests I carry out myself on various components. In order to keep your syslog_message table up to date, I've created a syslog_message file which is linked below containing the latest signatures: Latest Syslog Messages File Creation Date: March 25, 2007 (2007-03-25) Creation Author: Kris Philipsen Syslog Message Count: 137 Download Syslog Message File: syslog_message-20070325.sql.txt Please note that this file will drop your current "syslog_message" table so if you've created your own syslog messages which have not yet been included into this latest syslog messages file, make sure you back them up before executing the MySQL import. In order to perform the import you can execute the following command: "mysql -u -p < syslog_message-YYYYMMDD.sql.txt" (i.e. mysql -u root -p < syslog_message-20070325.sql.txt). PIX Firewall Preconfigured PIX Traffic Log Messages PIX-1-106100 (added on November 12, 2006) PIX-2-106100 (added on November 12, 2006) PIX-3-313001 PIX-3-710003 PIX-4-106023 PIX-6-106015 PIX-6-302013 PIX-6-302015 PIX-7-710002 PIX-7-710005 Preconfigured PIX IDS Log Messages PIX-4-400008 PIX-4-400010 PIX-4-400011 PIX-4-400014 PIX-4-400015 PIX-4-400023 PIX-4-400028 (added on November 12, 2006) Preconfigured PIX Informational Log Messages PIX-3-403503 PIX-4-402106 (added on November 12, 2006) PIX-4-411001 PIX-5-111001 PIX-5-111004 PIX-5-111005 PIX-5-111007 PIX-5-111008 PIX-5-199001 PIX-5-501101 PIX-5-502101 PIX-5-502103 PIX-5-611103 PIX-6-109005 PIX-6-109006 PIX-6-110001 PIX-6-199002 PIX-6-308001 (added on November 12, 2006) PIX-6-315011 PIX-6-603108 PIX-6-603109 PIX-6-605004 PIX-6-605005 PIX-6-611101 PIX-6-611102 PIX-7-111009 PIX-7-710001 Excluded PIX Log Messages PIX-6-302010 PIX-6-302014 PIX-6-302016 PIX-6-305011 PIX-6-305012 PIX-6-609001 PIX-6-609002 ASA Firewall Preconfigured ASA Traffic Log Messages ASA-1-106100 (added on November 12, 2006) ASA-2-106100 (added on November 12, 2006) ASA-3-313001 (added on November 12, 2006) ASA-3-710003 (added on November 12, 2006) ASA-4-106023 (added on November 12, 2006) ASA-6-106015 (added on November 12, 2006) ASA-6-302013 (added on November 12, 2006) ASA-6-302015 (added on November 12, 2006) ASA-7-710002 (added on November 12, 2006) ASA-7-710005 (added on November 12, 2006) Preconfigured ASA IPS Log Messages ASA-4-400008 (added on November 12, 2006) ASA-4-400010 (added on November 12, 2006) ASA-4-400011 (added on November 12, 2006) ASA-4-400014 (added on November 12, 2006) ASA-4-400015 (added on November 12, 2006) ASA-4-400023 (added on November 12, 2006) ASA-4-400028 (added on November 12, 2006) Preconfigured ASA Informational Log Messages ASA-1-101001 (added on November 12, 2006) ASA-1-101002 (added on November 12, 2006) ASA-1-101003 (added on November 12, 2006) ASA-1-101004 (added on November 12, 2006) ASA-1-104001 (added on November 12, 2006) ASA-1-104002 (added on November 12, 2006) ASA-1-111111 (added on November 12, 2006) ASA-3-403503 (added on November 12, 2006) ASA-4-402106 (added on November 12, 2006) ASA-4-411001 (added on November 12, 2006) ASA-5-111004 (added on November 12, 2006) ASA-5-111005 (added on November 12, 2006) ASA-5-111007 (added on November 12, 2006) ASA-5-111008 (added on November 12, 2006) ASA-5-199001 (added on November 12, 2006) ASA-5-501101 (added on November 12, 2006) ASA-5-502101 (added on November 12, 2006) ASA-5-502102 (added on November 12, 2006) ASA-5-502103 (added on November 12, 2006) ASA-5-611103 (added on November 12, 2006) ASA-6-109005 (added on November 12, 2006) ASA-6-109006 (added on November 12, 2006) ASA-6-110001 (added on November 12, 2006) ASA-6-199002 (added on November 12, 2006) ASA-6-308001 (added on November 12, 2006) ASA-6-315011 (added on November 12, 2006) ASA-6-603108 (added on November 12, 2006) ASA-6-603109 (added on November 12, 2006) ASA-6-605004 (added on November 12, 2006) ASA-6-605005 (added on November 12, 2006) ASA-6-611101 (added on November 12, 2006) ASA-6-611102 (added on November 12, 2006) ASA-6-720002 (added on November 12, 2006) ASA-6-720003 (added on November 12, 2006) ASA-7-111009 (added on November 12, 2006) ASA-7-710001 (added on November 12, 2006) Excluded ASA Log Messages ASA-6-302010 (added on November 12, 2006) ASA-6-302014 (added on November 12, 2006) ASA-6-302016 (added on November 12, 2006) ASA-6-305011 (added on November 12, 2006) ASA-6-305012 (added on November 12, 2006) ASA-6-609001 (added on November 12, 2006) ASA-6-609002 (added on November 12, 2006) FireWall Services Module (FWSM) 2.x Preconfigured FWSM 2.x Traffic Log Messages FWSM-4-106023 (added on November 12, 2006) FWSM-6-302013 (added on November 12, 2006) FWSM-6-302015 (added on November 12, 2006) FWSM-6-302020 (added on November 12, 2006) Preconfigured FWSM 2.x IDS Log Messages None Available Yet Preconfigured FWSM 2.x Informational Log Messages None Available Yet Excluded FWSM 2.x Log Messages None Available Yet FireWall Services Module (FWSM) 3.x Preconfigured FWSM 3.x Traffic Log Messages FWSM-3-106100 FWSM-3-710003 FWSM-4-106100 FWSM-6-106015 (added on November 07, 2006) FWSM-6-302013 FWSM-6-302015 Preconfigured FWSM 3.x IDS Log Messages None Available Yet Preconfigured FWSM 3.x Informational Log Messages FWSM-5-111008 (added on November 07, 2006) FWSM-6-113004 (added on November 07, 2006) FWSM-7-111009 (added on November 07, 2006) Excluded FWSM 3.x Log Messages FWSM-5-304001 FWSM-6-302010 (added on November 07, 2006) FWSM-6-302014 FWSM-6-302016 FWSM-6-305009 (added on November 07, 2006) FWSM-6-305010 (added on November 07, 2006) PIX Logging Architecture Banner: Last Update: 26-Mar-2007 Thanks to Viviane and Carlos Eduardo for helping me out with the design of this site!