LogAnalysis
Re: [logs] "session" messages in Cisco FWSM logs? Mar 14 2008 03:44PM
Anusuya Kompella (anusuya_k yahoo com)
Hi Andrew,
This looks like EMBLEM format. I have seen this kind of id (event class before facility ) when I enabled EMBLEM format on cisco ASA box. Should not be any different for FWSM.

Anusuya

Sent from my iPhone

On Mar 14, 2008, at 6:46 AM, "Andrew Hay" <andrewsmhay (at) gmail (dot) com [email concealed]> wrote:

Hey All,

I've been struggling to find some sort of documentation on the Cisco site (or elsewhere) that tell me why, all of a sudden, Cisco FWSM logs now have the string "session" where there was no "session" string before :)

Example:

%FWSM-session-6-305011

For as far back as I can remember the format has always been %FWSM-<facility>-<unique cisco id> (e.g. %FWSM-6-305011). Does anyone know why/when this has changed and if there is any associated documentation referencing it....anywhere?

--
Andrew Hay
blog: http://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
LinkedIn Profile: http://www.linkedin.com/in/andrewhay
OSSEC Book: http://preview.tinyurl.com/2oy63f
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

________________________________________________________________________
____________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs<html><body bgcolor="#FFFFFF"><div>Hi Andrew,</div><div>    This looks like EMBLEM format. I have seen this kind of id (event class before facility ) when I enabled EMBLEM format on cisco ASA box. Should not be any different for FWSM.</div><div><br class="webkit-block-placeholder"></div><div>Anusuya<br><br>Sent from my iPhone</div><div><br>On Mar 14, 2008, at 6:46 AM, "Andrew Hay" <<a href="mailto:andrewsmhay (at) gmail (dot) com [email concealed]">andrewsmhay (at) gmail (dot) com [email concealed]</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>Hey All,<br><br>I've been struggling to find some sort of documentation on the Cisco site (or elsewhere) that tell me why, all of a sudden, Cisco FWSM logs now have the string "session" where there was no "session" string before :)<br>
<br>Example:<br><br>%FWSM-session-6-305011<br><br>For as far back as I can remember the format has always been %FWSM-<facility>-<unique cisco id> (e.g. %FWSM-6-305011). Does anyone know why/when this has changed and if there is any associated documentation referencing it....anywhere?<br clear="all">
<br>-- <br>Andrew Hay<br>blog: <a href="http://www.andrewhay.ca"><a href="http://www.andrewhay.ca">http://www.andrewhay.ca</a></a><br>email:
andrewsmhay || at || <a href="http://gmail.com">gmail.com</a><br>LinkedIn Profile: <a href="http://www.linkedin.com/in/andrewhay"><a href="http://www.linkedin.com/in/andrewhay">http://www.linkedin.com/in/a
ndrewhay</a></a><br>
OSSEC Book: <a href="http://preview.tinyurl.com/2oy63f"><a href="http://preview.tinyurl.com/2oy63f">http://preview.tinyurl.com/2oy6
3f</a></a>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</
span><br><span>LogAnalysis mailing list</span><br><span><a href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
></span><br><span><a href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</a></span></div></blockqu
ote><br>
<hr size=1>Looking for last minute shopping deals? <a href="http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/ne
wsearch/category.php?category=shopping">
Find them fast with Yahoo! Search.</a></body></html>_______________________________________________

LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus