Altair Technologies Ltd.

  home | help | dashboard | my tickets | contact us | login
Help Center


Q&A Directory
    FireGen for Pix Log Analyzer
 
        How do I configure FireGen to analyze my logs?
        When I run a report on demand, everything works fine but when I schedule a report with the same settings, the reports arrive blank.
        All the reports I generate are blank while the logs seem to contain relevant information for the selected period of time. I also get an error saying: "Analyze has returned code: 1 (invalid). Error: ".
        My log files are very large. What is the limit for FireGen?
        Can I schedule FireGen to run more than once per day?
        When I run a report, all the previous reports get deleted. How can I configure Firegen not to delete the old reports?
        How does FireGen work with zipped log files?
        How can I migrate the FireGen settings from one computer to another?
        What are the limitations of the evaluation version?
        Do I need a syslog server in order to use FireGen?
        How should I configure the Pix firewall in order to generate the logs supported by FireGen?
        How can I change the 50 messages limit that is used in the reports?
        How to upgrade to FireGen 2.60 (or higher) from an older version?
        What is the role of the "Sample log" setting on the "Log profiles" tab?
        How can I configure FireGen so certain sections are not created?
        I scheduled a report on Windows 2003 but no reports are generated. What is the problem?
        Is FireGen available for a Linux platform?
        What is the recommended hardware for the computer running FireGen?
        Can I specify different settings for each log profile?
        I am trying to install FireGen but I get the "The system cannot open the device or file specified." followed by "Internal Error 2755" error messages.
        How can I analyze Cisco router logs with FireGen for Pix Log Analyzer?
        Does FireGen support log analysis when Kiwi Syslog saves the messages into a database?
 

My log files are very large. What is the limit for FireGen?
 
The largest log set that we have analyzed was 1.5 GB. The analysis took 11 hours on a Windows 2000 Server with a single Intel P4 2.5 GHz CPU, 512 MB RAM. Officially we do not support logs larger than 100 MB. FireGen should not crash, regardless of the size of the logs but the larger the log is, the longer will take to analyze them.
One 100 MB log when logging level configured for the Pix firewall is 6 or 7 should contain around 700,000 lines and take between 20 and 30 minutes for a computer with the specs as indicated at Q20.

There are many factors that affect the performance:
- the computer performance (the powerful the CPU, the better as many FireGen processes are CPU intensive)
- the nature of the data in the logs (the type of Pix messages that are prevalent for your environment and the version of Pix firmware running on your firewall
- the location of the logs (local or on a remote server)
- the type of syslog server (some syslog formats require more processing)
- the filtering criteria that you specify and the number of protocols you want to monitor in detail
- the impact of other applications running on that computer (FireGen runs at "idle" priority so the other application will have precedence)
- the DNS resolution duration for IP addresses that appear in the report

For example, on our test computer an Intel P4 2.4 GHz, 1 GB RAM, WD WD800JB-00CRA1 Hard Disk (80GB ATA100 7200RPM 8MB cache) running Windows 2000 Advanced Server SP 4 - we analyzed a 100 MB log in 19 minutes (from which 4 minutes were spent for DNS resolution). The format of the test log was PFSS:

<166>Jul 07 2005 00:00:00 : %PIX-6-302014: Teardown TCP connection 7980206 for dmz:10.2.174.201/3573 to inside:10.1.174.173/3828 duration 0:00:01 bytes 224 TCP FINs

The log contained approx 700,000 log entries and the logging level on the Pix firewall was set to 6.

One way to improve the analysis performance would be to select only a certain severity levels (i.e. only messages with severity level higher than "Warning"). One can also exclude certain PIX codes by adding the message code to the "Exclude" field on the "On Demand" or "Schedule" tabs.

Having reverse name resolution enabled can also affect significantly the analysis duration.

For existing users we can provide a FireGen prototype designed to work with large log files. Please email us (support@firegen.com) for more details.