Up

CISCO Security Log Analysis with TextPipe Pro

Buy Download Tour

TextPipe Pro is adept at working with massive, multi-Gigabyte log files for security analysis.

TextPipe can be used to extract log information on firewall traffic, security breaches, and more. This helps network administrators to manage bandwidth, monitor web site visits, audit traffic, and ensure appropriate usage of networks by employees.

TextPipe can be used to extract from most enterprise firewalls including Cisco PIX, Check Point, SonicWALL, NetScreen, WatchGuard, and many more.

Example

The example below demonstrates extracting relevant records containing '2549' (which can span multiple lines) from a Cisco Call Manager trace file output (this is an IP PBX).

Download ciscocallmanager.zip

Sample CISCO Call Manager trace file input:

05/05/2005 11:28:38.587 CCM|ForwardManager - findCallBySsParty - Found entry for party= 16779646, callkey= 0x33 |
05/05/2005 11:28:38.587 CCM|ConnectionManager - wait_AuConnectRequest(16779645,16779646)|
10/03/2006 13:56:00.789 CCM|MGCPInterface(0) - openOutgoingAudioChannel, GSM EFR mUseOldGWBytesForGSMConversion 220096056 bytes|
10/03/2006 13:56:00.789 CCM|MGCPHandler send msg SUCCESSFULLY to: 172.25.1.7
MDCX 1081621 S0/DS1-0/9@SDA00016476E43D MGCP 0.1
C: D000000002077886000000F500005f6c
I: 10
X: 9
L: p:30, a:G.729, s:off, t:b8
M: recvonly
R: D/[0-9ABCD*#]
Q: process,loop
|
10/03/2006 13:56:00.789 CCM|MGCPHandler - PktCapService::out(Protocol_MGCP,src=172.25.33.2,port=2427,desc=17225.1.7,port=2427,0,0,msg,len=171,gateway=172.25.1.7)|

Sample extract for records containing '2549':

(blank lines inserted for clarity)

10/03/2006 18:09:23.164 CCM|Digit analysis: match(pi="1", fqcn="4336", cn="4336",plv="5", pss="Melbourne", TodFilteredPss="Melbourne", dd="2549",dac="0")|


10/03/2006 18:10:05.320 CCM|EnvProcessCdr::outputCmrData CMR data - 2,2,243101,2,"2549",34051444,1159863005,1034,31020,1140,34200,0,0,0,"{0194DB46-41A8-45C9-AFC9-C1013A627701}","","S617GJAB-Cluster","S0/DS1-0/31@SDA00016476E43C"
|


10/03/2006 18:13:09.899 CCM||PretransformCallingPartyNumber=4336
|CallingPartyNumber=4336
|DialingPartition=Melbourne
|DialingPattern=25.[0-4]X
|DialingRoutePatternRegularExpression=(25)([0-4]X)
|DialingWhere=
|PatternType=Enterprise
|PotentialMatches=NoPotentialMatchesExist
|DialingSdlProcessId=(0,0,0)
|PretransformDigitString=2549
|PretransformTagsList=ACCESS-CODE:SUBSCRIBER
|PretransformPositionalMatchList=25:49
|CollectedDigits=2549
|UnconsumedDigits=
|TagsList=ACCESS-CODE:SUBSCRIBER
|PositionalMatchList=25:49
|VoiceMailbox=
|VoiceMailCallingSearchSpace=
{
3704D885-17C8-4BC3-862B-AA7A0FA74A07}
|VoiceMailCallingSearchSpace=Melbourne
|VoiceMailPilotNumber=681
|AlertingName=
|RouteBlockFlag=RouteThisPattern
|RouteBlockCause=0
|InterceptPartition=
|InterceptPattern=
|InterceptWhere=
|InterceptSdlProcessId=(0,0,0)
|InterceptSsType=0
|InterceptSsKey=0
|OverlapSendingFlagEnabled=0
|WithTags=
|WithValues=
|CallingPartyNumberPi=NotSelected
|ConnectedPartyNumberPi=NotSelected
|CallingPartyNamePi=NotSelected
|ConnectedPartyNamePi=NotSelected
|CallManagerDeviceType=NoDeviceType
|PatternPrecedenceLevel=Routine
|CallableEndPointName=[714249BA-ED07-48DD-B445-C76ADA3D0F3D]
|PatternNodeId=[3B922766-E0FC-49B0-9CC8-2B61F2008C09]
|AARNeighborhood=[]
|AlternateMatches= Information Not Available
|TranslationPatternDetails= Information Not Available
|OffNetPattern=OnNet
|OutsideDialtone=
|DeviceOverride=|

Buy Download Tour