How To setup PIX centralized Monitoring
Article created 2003-11-24 by
Article updated 2004-04-22 by
Adiscon Products can be used to efficiently analyze PIX traffic
as well. This article is strictly task focused. It does not describe why the
systems should be monitored nor does it provide any further background. Please
see the respective backgrounders or product documentation on this. This article
is a step-by-step description of what you need to do in order to centrally
monitor your PIX Logs.
Centralized Event Reports
In this step-by-step guide, MonitorWare Agent / WinSyslog is configured to work together with
Adiscon’s MonitorWare Console to generate
summaries for the traffic passing to and from PIX.
What you need
In this guide, I am focusing on building a solution with Adiscon's
MonitorWare Agent / WinSyslog and MonitorWare Console. This guide will be
equally good for you if you want to configure MonitorWare Console with
MonitorWare Agent or to configure MonitorWare Console with WinSyslog. The reason
is that in this configuration we need to have a Syslog Daemon that will be
listening for Syslog messages. Since both MonitorWare Agent and WinSyslog can
act as Syslog Daemons and since the setup procedure for both of them as a
Syslog Daemon is exactly the same, this guide can be used for both the cases.
This combination allows you to centralize all your logs and generate reports
on them. Free 30 day trial versions are available at the respective product
sites (links below), so you can try the system without the need to buy anything.
You need to run the following products:
need administrative privileges on each of the machines. This is required both
for installation and configuration. Make sure you log on with a sufficiently
privileged user account.
Step 1 - Download Software
You need to download the following software to follow this step by
1. www.mwagent.com/en/download or
Step 2 - Install MonitorWare Agent / WinSyslog
Run the MonitorWare Agent / Winsyslog setup
program on the system that is to act as the central server. Take a note of this server's IP address or host name. You’ll need this value when configuring
PIX to forward the messages to it.
Step 3 – Configure a Syslog Server
The steps to configure the MonitorWare Agent / WinSyslog as a
Syslog Server are
Configuring a Syslog Server
Step 4 – Create a RuleSet for Database Logging
In this section, you will create an action to write the messages that are
coming from PIX to a database. Please note that these steps would be exactly the
same for both MonitorWare Agent and WinSyslog.
Database Logging Steps
After configuring this RuleSet, make sure that
- This rule set is associated with the Syslog Server Service that you
created in Step 3. You can do this by clicking on the Syslog Server Service
that you created in Step 3 on the left hand side and by selecting the name of
the rule set that you created in Step 4 in "Rule Set to Use" combo box on the
right hand side.
- The service is running. You can do this by clicking on the Play button at
the top of the Client.
Step 5 – Configure PIX
In this step, you will need to configure PIX in such a way so that it sends
the messages to the Syslog Server that you created in the above step. You would
need to give the IP address or the hostname in PIX
PIX Configuration Steps
Step 6 – Preparing Web Server for MonitorWare Console
MonitorWare Console publishes its reports through
the local web server (central hub server).
To avoid confusion, we recommend
creating a separate directory on the web server for MonitorWare Console. Let us assume you
use Microsoft Internet Information Server and run it in the default
configuration. Then, you web pages are stored in the c:\inetpub\wwwroot
directory. Create a subdirectory "MonitorWareConsole" directly beneath this
Step 7 – Installing and Configuring MonitorWare Console
MWConsole- Installation and Configuration Steps (1.1)
MWConsole- Installation and Configuration Steps (2.0)
Step 8 – Generating PIX Reports with MonitorWare Console Manually
Following are the reports in MonitorWare Console that can be generated for
- Accessed Web Sites Report
- Blocked Ports Activity Report
- Possible Attacks Report
- Traffic By Hour Report
- Traffic By Port Report
- Outbound Traffic By IP
- Traffic by Target IP
- Who is Attacking Me Report
This section explains how the PIX reports can be generated with MonitorWare
Console manually. In this section I will explain
the generation of "Who is Attacking Me" report only. Please note that, the procedure for generating any report is
almost the same.
Generating PIX Reports with Console 1.1 Manually
Generating PIX Reports with Console
Step 9 – Scheduling the Generation of Reports with MonitorWare Console
This section explains how the reports can be generated with MonitorWare
Console automatically using Job Manager. With Job Manager, you can generate all
the reports based on a pre-defined schedule and ask it to either store it in
some location on the hard disk or send it to specified recipient via email. The
following section explains the scheduling of System Status Report. You can use
exactly the same method to generate any of the PIX reports that are
Scheduling Reports with Console 1.1
Scheduling Reports with Console 2.0
You are done!
Well, this is all you need to do to
configure the basic operations. We hope this article is helpful. If you have any questions or remarks,
please do not hesitate to contact us at