From OSSEC Wiki

Configuring PIX to send syslog messages

Information on how to Configure PIX in here.

Log Samples from the Cisco PIX

The Cisco PIX logs are very well formatted and easy to parse. Every message starts with a unique ID of the event, which is in the following format: %PIX-severity-eventID. A complete list with all event IDS can be found at the : cisco site. Cisco Pix Specific.

• Full log sample 1
• Full log sample 2

The severities and related log samples are:

• Alert Messages, Severity 1:

• Critical Messages, Severity 2:

%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn

%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn

%PIX-2-106006: Deny inbound UDP from ***/54481 to ***/1026 on interface vpn

%PIX-2-106006: Deny inbound UDP from ***9/20031 to ***/20031 on interface vpn

%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn

• Error Messages, Severity 3:

%PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2

• Warning Messages, Severity 4:

%PIX-4-410001: Dropped UDP DNS reply from os-to-dmz:192.168.30.2 to outside:192.168.100.2/53; packet length 560 bytes exceeds configured limit of 512 bytes

• Notification Messages, Severity 5:

%PIX-5-304001: 192.168.20.50 Accessed URL x.y.z.a:/test/xx/yy.html

• Informational Messages, Severity 6:

%PIX-6-302016: Teardown UDP connection 1042068 for outside:192.168.20.45/53 to inside:192.168.20.208/37989 duration 0:02:10 bytes 185

%PIX-6-106015: Deny TCP (no connection) from 192.168.2.50/443 to 192.168.20/65 flags RST on interface outside

• Debugging Messages, Severity 7:

%PIX-7-710005: UDP request discarded from 192.168.20.45/53 to outside:192.168.20.208/37989