Re: Web site host name in PIX logs

agrigorof · ‎11-22-2001

When "Informational" messages are enabled for logging, our PIX 525 firewall (version 5.31)would log something like:

%PIX-5-304001: 10.11.1.106 Accessed URL 216.34.88.23:/action/abcnews_home_page

for http requests. Is there a way to have PIX log the web server host name (not only the IP address)?

brford · ‎11-22-2001

agriqorof,

No, the PIX doesn't look up the domain names. But would you want your firewall to do this kind of DNS resolution?

Several of the reporting tools do this. I've used PrivateI from OpenSystems to get this level of detail and gotten good results.

Liberty for All,

Brian

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

agrigorof · ‎11-22-2001

Of course, I don't expect Pix to do reverse DNS resolution. I hoped that it would be able to extract this information from the HTTP request itself. The problem with reporting tools doing reverse DNS is that not all web servers have their IP configured for reverse DNS or they point to a generic name controlled by their ISP. This may generate confusing reports on what sites are accessed. The Configuration Guide for Pix gives a sample of URL logging syslog message where the name of the web site is recorded however, in reality that information is not there.