Log Questions

[NetworkAdmin123]

We are testing a new tool to analyze our firewall log we get from kiwi syslog. We had over 100 hits from this ip address yesterday.

Address lookup
canonical name msngames.com.
aliases zone.com
zone.msn.com
sympatico.zone.msn.com

addresses 207.46.203.12


I'm wondering why this is showing up. I'm assuming someone is on here playing but need to track down who it is.

I've been going to centralops.net and doing a domain search to look up all the info. What's the next step someone needs to take that reviews a firewall log? Sorry for all the questions I'm new to this.

Thx

 

[Narizz28]

One way is to turn on ALL logging on the PIX to the syslogd. BEWARE! You'll be overrun very quickly with messages from the firewall. But if you have and are streaming into a DB, you can parse the messages based on the any criteria you choose. But it takes alot of work.

(FYI, this method also works to monitor internet access and can be used with a report writer like Crystal or MS SQL Reporting Services to make "pretty" reports.)

Happy Hunting.

 

[agrigorof]

What protocols are used to connect to or from that IP address? Enable level 6 logging on your firewall for a day and see what internal user is connecting there and what protocols are used.

Adrian Grigorof

http://www.eventid.net/firegen/firegenpix2.asp

FireGen for Pix Log Analyzer