Log Manager for Cisco Firewalls (Legacy)

Release Notes

Date Published: May 2009



Log Manager for Firewalls collects events from logs and stores them in secure repositories so you can archive this data, create reports for management or auditing purposes, and analyze critical events to research issues. Log Manager for Firewalls collects all syslog messages you configure the Cisco firewall device to send.

Supported Products

This release supports the following products:

  • Cisco Secure PIX Firewall versions 6.x, 7.x, and 8.x
  • Cisco FWSM versions 2.x and 3.x
  • Cisco ASA Firewall versions 7.x and 8.x

Return to Top

Why Install This Module?

Log Manager for Cisco Firewalls provides support for received data that contains Internet Protocol version 6 (IPv6) addresses when used with Security Manager 6.0 Service Pack 2. To use this feature, you do not need to install a new version of Log Manager for Cisco Firewalls, but you must install Security Manager 6.0 Service Pack 2. For more information about how Security Manager supports IPv6, see the Security Manager 6.0 Service Pack 2 documentation.

Improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent monitoring Cisco firewalls. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors. Memory use for a Windows agent monitoring Cisco firewalls could reach 256 MB or higher.
Operating System All supported Windows agent platforms.
  • Ensure you have Security Manager 6.0 or later installed.
  • Ensure you have Security Manager Self-monitoring version 6.0 or later installed.
  • A Windows agent can monitor one or more Cisco firewalls. For more information about the number of instances one agent can support, see the NetIQ Security Manager Knowledge Base article NETIQKB51404 at www.netiq.com/support/sm/.
  • If the Cisco firewall device and the agent are separated by a firewall, ensure the firewall allows syslog data through.
  • Use a unique agent for each platform sending syslog events. For example, use separate agents to monitor NetScreen and Cisco Firewalls.
  • Install a Windows agent for Cisco Firewall support on a separate computer from the database server or central computer.

Return to Top

Installing This Module

You can install this module using the Module Installer. After you install the module, run the Configuration Wizard to configure the module. For more information about how to follow the Configuration Wizard, click the Help icon in the lower left of the wizard.

Return to Top

Configuring the Agent

To configure the Windows agent, add the name and IP address of the Cisco firewall device to the Hosts file on the Windows agent computer. For more information about the Hosts file, see the Windows documentation.

Return to Top

Configuring the Cisco Firewalls Devices

You can configure the Cisco firewall device to communicate effectively with the Windows agent computer.

To configure the Cisco firewall device to send syslog data to the Windows agent:

  1. If you configured time stamps on your firewall, ensure the time stamp uses the format Mmm DD YYYY hh:mm:ss, where Mmm is the three letter month name, DD is day of the month, YYYY is year, hh is hour in 24 hour format, mm is minutes, and ss is seconds.
    • If your Cisco syslog messages do not have a recognizable time stamp, Security Manager uses the local time of the agent for the log message time.
  2. Specify an SSH connection for the Windows agent. For more information, see the Cisco firewall documentation.
  3. If your Cisco syslog messages have a Device ID, ensure the device ID has more than three digits or fewer than three digits, but not exactly three digits.
  4. If you have Event Manager, disable paging, monitoring logging, and console logging on the firewall device to allow configuration scripts to run successfully.
  5. Configure the Cisco firewall to report only the messages with the severity you want to monitor.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Device ID Cannot Have Three Characters

Due to limitations in regex parsing for this release, the Device ID can have less than three characters or more than three characters, but not exactly three characters.

Data Not Properly Generated

If you install or make configuration changes to a previous version of this module after February 22, 2008, upgrade to this release will fail without errors. For information about how to upgrade in this situation, see the NetIQ Technical Support Knowledge Base article NETIQKB70933 on the NetIQ Technical Support Site at www.netiq.com/support.

Configuration Not Preserved after Upgrade

In some environments, configuration information is not maintained after you upgrade to this release. The upgrade removes all configuration information in some cases, but only partial information in other situations. After you upgrade, run the configuration wizard and verify all information.

Incorrect Address or Interface Name

Events will not be properly interpreted if an interface name on the firewall includes a colon or space.

Previous Data Not Formatted Correctly in Forensic Report

With this release, Security Manager records data differently than in previous releases. Reports in this release do not properly display data gathered using the old structure. When you perform a forensic query, only use data gathered using this release.

Forensic Reports Do Not Run

Forensic reports run with a previous version will not return data collected with this release. To run the forensic reports on data collected with this release, back up, and then delete the forensics configuration file. By default, the forensics configuration file is C:\Program Files\NetIQ Security Manager\OnePoint\VSOC\config\forensics.xml. If you have added any custom provider analyzer names to this file, you must recreate the entries.

Incorrect Platform Name in Summary Reports

Summary reports generated with this release incorrectly specify Cisco Secure PIX instead of Cisco Firewalls.

Incorrect Computer Group Name

If you are upgrading from a previous version, the computer group is named Cisco Secure PIX instead of Cisco Firewalls.

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

Return to Top

Legal Notice

Return to Top