[logs] Cisco PIX Logs - Rule Change
Daniel Cid
danielcid at yahoo.com.br
Fri Aug 3 12:44:48 PDT 2007
Hi Paul (and Saudi),
I don't know if it always applies, but everytime I
change/add an acl I get the following log:
%PIX-5-111008: User 'xxx' executed the 'access-list ..
permit tcp .. host a.b.c.d eq yy' command.
If you correlate this data with the other ids that
Tina mentioned, you can keep track of access lists
modifications..
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
--- Paul Melson <pmelson at gmail.com> escreveu:
> On 8/3/07, saudi sans <saudisans at gmail.com> wrote:
> > Does Cisco PIX 6.3 generate a log when a rule[ACL]
> is changed.
>
> Yes. The PIX records any time the configuration is
> changed. If you
> are doing AAA for enable access it will record the
> username as well.
>
> > If yes does it contain which ACL was changed etc.
>
> Nope, sorry.
>
>
> > We want to track all changes in rules via
> monitoring PIX logs?
>
> You'll need a 3rd-party tool. Kiwi CatTools might
> be worth looking at.
>
> PaulM
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
>
http://www.loganalysis.org/mailman/listinfo/loganalysis
>
Alertas do Yahoo! Mail em seu celular. Saiba mais em http://br.mobile.yahoo.com/mailalertas/
More information about the LogAnalysis
mailing list