I'm curious how "Firewall rules grouped" land in the firewall log.
Consider the log
Sep 21 2015 05:35:12: %ASA-4-106023: Deny tcp src outside:3.1.33.7/56323
dst inside:1.1.1.1/8891 by access-group "outside_access_inside" [0x0, 0x0]
Returns the following.....
**Phase 1: Completed pre-decoding.
full event: 'Sep 21 2015 05:35:12: %ASA-4-106023: Deny tcp src
outside:3.1.33.7/56323 dst inside:1.1.1.1/8891 by access-group
"outside_access_inside" [0x0, 0x0]'
hostname: 'lott-ossec'
program_name: '(null)'
log: 'Sep 21 2015 05:35:12: %ASA-4-106023: Deny tcp src
outside:3.1.33.7/56323 dst inside:1.1.1.1/8891 by access-group
"outside_access_inside" [0x0, 0x0]'
**Phase 2: Completed decoding.
decoder: 'pix'
id: '4-106023'
action: 'Deny'
proto: 'tcp'
srcip: '3.1.33.7'
srcport: '56323'
dstip: '1.1.1.1'
dstport: '8891'
**Phase 3: Completed filtering (rules).
Rule id: '4100'
Level: '0'
Description: 'Firewall rules grouped.'
How do these connections make it into the firewall.log file???
I'm trying to tune ossec and could use some guidance.
Thank you!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
