FAQ: Tracking URLs in Cisco PIX log format

How can I track full URLs, or HTTP domains, or resolved hostnames, when analyzing PIX log data?

Short Answer

You can't track full URLs or HTTP domains, because PIX doesn't log them; but you can turn on DNS lookup in the PIX or in Sawmill to report resolved hostnames.

Long Answer

The Cisco PIX log format can be configured to log hostnames as well as IPs; if it does, the PIX plug-in will report the hostnames. This is the preferred way to get hostname information from PIX. If that's not an option, Sawmill can be configured to look up IP addresses using the DNS Lookup section of the Config page. In this case, the IP address field value will be replaced by the resolved hostname, so this resolved hostname will appear in the IPs reports. PIX does not log URLs, however, so it is not possible for Sawmill to report domains accessed. PIX reports lines like this:

Accessed URL

This shows the source IP, which we have from another line, and the URL stem, which is slightly useful, but it does not show the domain; and resolving the IP just gives the resolved hostname, not the domain from the URL. Still, it's better than nothing; resolving the hostname might give something like server156.microsoft.com, which at least tells you it's microsoft.com traffic, even if you can't tell whether it was mdsn.microsoft.com or www.microsoft.com.

PIX can also be configured to log hostnames in the Accessed URL lines, which looks something like this:

Accessed URL (server156.microsoft.com):/some/file/test.html

But this has the same problem; it shows the hostname, not the HTTP domain. It seems that the HTTP domain is not available from PIX log data.

The reason we recommend doing DNS lookup in PIX rather than Sawmill are twofold:

1. DNS lookup after-the-fact may give a different hostname than it would have given at the time, and the one at the time is more accurate.

2. DNS lookup in Sawmill replaces the IP address with the hostname, so the IP is not available in the reports. DNS lookup in PIX *adds* the hostname as a separate field, so both are available in the reports.