Cisco Setting Up PIX Syslog



Similar documents
Configuring LocalDirector Syslog

Security Correlation Server Quick Installation Guide

Security Correlation Server Quick Installation Guide

Using Debug Commands

PIX/ASA 7.x with Syslog Configuration Example

Using Debug Commands

Using Debug Commands

Red Condor Syslog Server Configurations

Device Integration: Checkpoint Firewall-1

Cisco Secure PIX Firewall with Two Routers Configuration Example

About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management How to forward logs...

Network Monitoring & Management Log Management

Configuring the Cisco Secure PIX Firewall with a Single Intern

Configuring System Message Logging

Knowledge Base Articles

Lab Configure Syslog on AP

Network Monitoring & Management Log Management

Kiwi SyslogGen. A Freeware Syslog message generator for Windows. by SolarWinds, Inc.

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Syslog Monitoring Feature Pack

Lab 5.5 Configuring Logging

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Configuring System Message Logging

Network Monitoring & Management Log Management

Configure Backup Server for Cisco Unified Communications Manager

Configuring System Message Logging

Database Replication Error in Cisco Unified Communication Manager

Configuring System Message Logging

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Cisco PIX Firewall Manager FAQ

PIM SOFTWARE TR50. Configuring the Syslog Feature TECHNICAL REFERENCE page 1

RSA Authentication Manager

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Active FTP vs. Passive FTP, a Definitive Explanation

Presented by Henry Ng

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Configuring Logging. Information About Logging CHAPTER

Fundamentals of UNIX Lab Networking Commands (Estimated time: 45 min.)

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

System Message Logging

insync Installation Guide

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Management, Logging and Troubleshooting

Symantec Event Collector 4.3 for Cisco PIX Quick Reference

HP Operations Manager Software for Windows Integration Guide

Log Correlation Engine 4.6 Quick Start Guide. January 25, 2016 (Revision 2)

Monitoring Clearswift Gateways with SCOM

Sample Configuration Using the ip nat outside source static

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

GroundWork Monitor Open Source Installation Guide

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

TREK HOSC PAYLOAD ETHERNET GATEWAY (HPEG) USER GUIDE

Configuring Syslog Server on Cisco Routers with Cisco SDM

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

Syslog & xinetd. Stephen Pilon

NAS 272 Using Your NAS as a Syslog Server

Linux Syslog Messages in IBM Director

24x7 Scheduler Multi-platform Edition 5.2

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

An Introduction to Syslog. Rainer Gerhards Adiscon

Integrated Cisco Products

Chapter 8 Monitoring and Logging

Introduction to Operating Systems

SAM XFile. Trial Installation Guide Linux. Snell OD is in the process of being rebranded SAM XFile

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

DS License Server. Installation and Configuration Guide. 3DEXPERIENCE R2014x

freesshd SFTP Server on Windows

Configuring Static and Dynamic NAT Simultaneously

Alert Logic Log Manager

Netflow Collection with AlienVault Alienvault 2013

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Linux FTP Server Setup

CommandCenter Secure Gateway

Table of Contents. Configuring IP Access Lists

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

JAMF Software Server Installation Guide for Linux. Version 8.6

USER GUIDE. Snow Inventory Client for Unix Version Release date Document date

Lab Configure Intrusion Prevention on the PIX Security Appliance

SSL Tunnels. Introduction

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on Oracle WebLogic Server

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

Nimsoft Monitor. sysloggtw Guide. v1.4 series

Ahsay Replication Server v5.5. Administrator s Guide. Ahsay TM Online Backup - Development Department

ilaw Server Migration Guide

Web-Based Configuration Manual System Report. Table of Contents

IBM Security QRadar SIEM Version MR1. Log Sources User Guide

DS License Server V6R2013x

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

ontune SPA - Server Performance Monitor and Analysis Tool

Administration Guide - Documentum idataagent (DB2)

co Characterizing and Tracing Packet Floods Using Cisco R

Heroix Longitude Quick Start Guide V7.1

LogLogic Trend Micro OfficeScan Log Configuration Guide

Gigabyte Content Management System Console User s Guide. Version: 0.1

BF2CC Daemon Linux Installation Guide

OnCommand Performance Manager 1.1

Transcription:

Table of Contents Setting Up PIX Syslog...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 How Syslog Works...2 Logging Facility...2 Levels...2 Configuring the PIX to Send Syslog...3 PIX 4.0.x 4.1.X...3 PIX 4.2.X and later...4 PIX 4.3.X and later...4 How to Set Up a Syslogd Server...5 Debugging Syslog...6 Related Information...8 i

Setting Up PIX Syslog Introduction Before You Begin Conventions Prerequisites Components Used How Syslog Works Logging Facility Levels Configuring the PIX to Send Syslog PIX 4.0.x 4.1.X PIX 4.2.X and later PIX 4.3.X and later How to Set Up a Syslogd Server Debugging Syslog Related Information Introduction Messages produced by the PIX that usually go to the console can be collected by sending these messages to a device running a syslogd daemon (syslogd). Syslogd listens on UDP port 514, the syslog port. Syslogging enables you to gain information about PIX traffic and performance, analyze logs for suspicious activity, and troubleshoot problems. Syslogd can run on a number of operating system platforms. Syslogd is installed when you install UNIX, but you have to configure it. Syslogd usually is not native to Windows based systems, but syslogd software is available for Windows NT. Examples include PIX Firewall Manager (PFM), PIX Firewall Syslog Server (PFSS), Private I, or other syslog software of your choice. This document describes how syslog works, how to set up the PIX to send syslog messages to a device running syslogd, and how to set up a UNIX based syslogd server. Actual meanings of PIX syslog messages are in the PIX documentation. Before You Begin Conventions For more information on document conventions, see the Cisco Technical Tips Conventions. Prerequisites There are no specific prerequisites for this document. Components Used The information in this document is based on the software and hardware versions below.

Cisco Secure PIX Software Releases 4.0.x and later The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it. How Syslog Works All syslog messages will have a logging facility and a level. The logging facility can be thought of as where and the level can be thought of as what. Logging Facility The single syslog daemon (syslogd) can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe on which the information arrives. In this analogy, the logging facilities are the pipes by which the syslogd decides where to send information it receives. The eight logging facilities commonly used for syslog are local0 through local7: Levels local0 local1 local2 local3 local4 local5 local6 local7 There are also different degrees of importance attached to incoming messages. We can think of the levels as what.the PIX can be set to send messages at different levels (these are listed from highest to lowest importance): emergency alert critical error warning notification informational debug Level 0 1 2 3 4 5 6 7 Numeric Code When a PIX is set up to send syslog messages, levels of lower importance include levels of higher importance. For example, if the PIX is set for warning, then error, critical, alert, and emergency messages would also be sent in addition to warning. A debug setting would obviously include messages at all 8 levels.

Configuring the PIX to Send Syslog PIX 4.0.x 4.1.X The syslog syntax is as follows: syslog host #.#.#.# (where #.#.#.# is the syslog servers address) syslog output X.Y (where X is the logging facility and Y is the level) How does the X number translate to logging facility? We break down the X number into binary. The last 4 bits comprise the local facility: 16 = 00010000 = local0 17 = 00010001 = local1 18 = 00010010 = local2 19 = 00010011 = local3 20 = 00010100 = local4 21 = 00010101 = local5 22 = 00010110 = local6 23 = 00010111 = local7 As an example, since 22 = 00010110, and the last 4 bits=0110=decimal 6, this is local6. (A shortcut is to take the X value and subtract 16. For example, 22 16=6, or local6). The Y number is the level. As an example, if Y=2, messages sent would include those at level 2 (critical), level 1 (alert), and level 0 (emergency). The PIX levels are 0 7; these should not be confused with the logging facilities (which are local0 local7). Examples in PIX 4.0.x 4.1.X: syslog 20.7 20 equals local4 logging facility.

.7 is the level. 7 means debug to the PIX, that is, all messages will be logged. syslog 23.2 23 equals local7 logging facility.2 is the level. 2 means critical to the PIX, that is, critical, alert, and emergency messages will be logged. PIX 4.2.X and later The syntax for syslog changed in PIX Software releases 4.2.X. Instead of the syslog host #.#.#.# command, use the new logging host #.#.#.# command. In 4.2.X, the logging facility and level definitions are the same, but instead of using the syslog output X.Y command, you need to have 2 statements: logging facility X logging trap Y The level is no longer expressed as a number; it is expressed as the name of the level. As an example: old syntax: syslog output 20.7 new syntax: logging facility 20 (local4) logging trap debugging (debugging through emergency) PIX 4.3.X and later In 4.3.X and greater, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent. In addition to the following commands: logging host #.#.#.# logging facility X logging trap Y you can issue these commands:

clock set 13:18:00 Apr 25 1999 logging timestamp no logging message 111005 This results in having all messages, except message 111005 (that is, "End configuration"), sent with timestamps. (Note: Because the 111005 message is a Notification level message, it would not be seen if the level on the PIX was set for Emergency, Alert, Critical, Error, or Warning.) An example of a time stamped non 111005 message follows (the first timestamp is from our UNIX server and the second is from the PIX): Apr 25 13:15:35 10.31.1.53 Apr 25 1999 13:23:00: %PIX 5 111007: Begin configuration: nobody reading from terminal In PIX Software versions 4.3.X and later, you can also do TCP syslog. PFSS supports this; most other syslog servers do not support it without reconfiguration. The command to enable PIX to do PFSS TCP logging is: logging host #.#.#.# tcp 1740 Note: Because this traffic is TCP (that is, with acknowledgments), if the PFSS goes down, traffic through the PIX will stop; for that reason, the tcp syslog command should not be implemented unless you need this kind of functionality! UDP/514 syslogging does not have this effect. How to Set Up a Syslogd Server Because syslogd was originally a UNIX concept, the features available in the syslogd products on non UNIX systems depend on the vendor implementation. Features may include: dividing incoming messages by facility or debug level, or both; resolving the names of the sending devices; reporting facilities; and so on. For information on configuring the non UNIX syslog server, refer to the vendor's documentation. Cisco does make a syslog server called the PIX Firewall Syslog Server (PFSS), which is available for PC platforms. To download the Cisco PFSS, go to the Software Center ( registered customers only) and select Download PIX Firewall Software. To configure syslog on UNIX, perform the following steps: 1. 2. As root, on SunOS, AIX, HPUX, or Solaris, make a backup of the /etc/syslog.conf file prior to modification. Modify /etc/syslog.conf to tell the UNIX system how to sort out the syslog messages coming in from the sending devices, that is, which logging_facility.level goes in which file. Make sure there is a tab between the logging_facility.level and file_name. 3. Make sure the destination file exists and is writable. 4.

The #Comment section at the beginning of syslog.conf usually explains syntax for the UNIX system. 5. Do not put file information in the ifdef section. 6. As root, restart syslogd to pick up changes. Examples If /etc/syslog.conf is set for: local7.warn /var/log/local7.warn the warning, error, critical, alert, and emergency messages coming in on the local7 logging facility will be logged in the local7.warn file. The notification, informational, and debug messages coming in on the local7 facility will not be logged anywhere. If /etc/syslog.conf is set for: local7.debug /var/log/local7.debug the debug, informational, notification, warning, error, critical, alert, and emergency messages coming in on the local7 logging facility will be logged to the local7.debug file. If /etc/syslog.conf is set for: local7.warn local7.debug /var/log/local7.warn /var/log/local7.debug the warning, error, critical, alert, and emergency messages coming in on the local7 logging facility will be logged to the local7.warn file. The debug, informational, notification, warning, error, critical, alert, and emergency messages coming in on the local7 logging facility will be logged to the local7.debug file. (In other words, some messages will go to both files!). If /etc/syslog.conf is set for: *.debug /var/log/all.debug all message levels from all logging facilities will go to this file. Debugging Syslog To start syslog in debug (SunOS, AIX, HPUX, or Solaris), you must be root: ps ef grep syslogd kill 9 <pid> syslogd d

You should see messages at the beginning as syslogd is reading syslog.conf, such as: cfline(local7.info /var/log/local7.info) cfline(local7.debug /var/log/local7.debug) X X X X X X X X X X X X X X X X X X X X X X X 6 X FILE: /var/log/local7.info X X X X X X X X X X X X X X X X X X X X X X X 7 X FILE: /var/log/local7.debug If these scroll by too quickly to see, try this command: syslogd d more If there are messages such as: cfline(local7.info /var/log/local7.junk) syslogd: /var/log/local7.junk: No such file or directory logmsg: pri 53, flags 8, from pinecone, msg syslogd: /var/log/local7.junk: No such file or there is a problem in the setup. In the above example, the file did not exist. Running in debug will also show incoming syslog messages and to which file they are going: logmsg: pri 275, flags 0, from 10.8.1.76, MSG 14: %SYS 5 CONFIG_I: Configured from console by vty0 (171.68.118.108) Logging to UNUSED Logging to FILE /var/log/local7.debug In this case, we received a message which should have gone to local7.junk and local7.debug, but because local7.junk did not exist, we also got the message: Logging to UNUSED. If syslogd d shows nothing coming in, check to be sure the PIX is sending with the PIX show syslog or show logging commands. If syslogd information is arriving on the UNIX system, but not going into the proper file, work with the UNIX system administrator or operating system vendor support to correct problems. If the cause of the problem still cannot be determined, syslog may be run in debug and the output redirected to a file as follows: sh or ksh: syslogd d<>target_file>2>&1 or csh syslogd d>&<target_file> Note: Red Hat Linux syslogd must be started with the r option to capture network output. UNIX Extension

Meaning.emerg System unusable, emergencies.alert Take immediate action, alerts.crit Critical condition, critical.err Error message, errors.warn Warning message, warnings.notice Normal but significant condition, notifications.info Informational messages, informational.debug Debug message, debugging Related Information PIX Command Reference PIX Product Support Page Requests for Comments (RFCs) Software Center PIX Firewall Software ( registered customers only) Technical Support Cisco Systems All contents are Copyright 1992 2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Updated: Jan 07, 2003 Document ID: 15248

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information