[logs] Cisco PIX Logs - Rule Change

Tina Bird tbird at precision-guesswork.com
Fri Aug 3 12:10:52 PDT 2007 

 
> On 8/3/07, saudi sans <saudisans at gmail.com> wrote:
> > Does Cisco PIX 6.3 generate a log when a rule[ACL] is changed.
> 
> Yes.  The PIX records any time the configuration is changed.  If you
> are doing AAA for enable access it will record the username as well.

Here are some of the specific log messages related to configuration changes,
which you might want to search for:

%PIX-5-111002: Begin configuration: IP_address writing to device
     - message generated when new configuration is saved

%PIX-5-111003: IP_address Erase configuration
     - configuration currently stored in memory (or remotely, or wherever)
has just been erased

%PIX-5-111004: IP_address end configuration: {FAILED|OK}
     - request to save configuration either failed or was successful. If it
failed, fix the problem and try again.

%PIX-5-111005: IP_address end configuration: OK
     - exit configuratin mode

[Note: in all these cases, the embedded IP address will reveal whether the
configuration management was performed on the console or through a remote
connection.]

%PIX-5-111008: User <user> executed the command <string>
     - records user actions that changed the PIX configuration 

%PIX-7-111009:User user executed cmd:string
     - records user action that did *not* change the PIX configuration (note
that the message is debug-level)

This same section of the PIX manual includes a number of other useful admin
logs, like reboots etc, that may be pertinent:

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.h
tml#wpmkr1158985 or

http://tinyurl.com/3xoxlm

> > We want to track all changes in rules via monitoring PIX logs?
> 
> You'll need a 3rd-party tool.  Kiwi CatTools might be worth 
> looking at.

Apparently, if you believe the Web documentation, Cisco's Security Manager
offers cross-platform change management capabilities:

http://www.cisco.com/en/US/products/ps6498/products_user_guide_chapter09186a
00806c2751.html

or http://tinyurl.com/2xx4r5

I've never tried it, though, so can't vouch for its effectiveness.

Hope this helps -- if I spot other PIX log entries related to configuration
changes I'll post back to the list -- tbird

More information about the LogAnalysis mailing list