PIX 525-How do I capture all source-destination info

Unanswered Question
vitripat Wed, 05/16/2007 - 06:10

A way would be to configure a syslog server to capture all the traffic going through PIX. However in your situation, I feel that you'll get lot of logs and will have to find traffic related to IPs you are interested in from thos huge log files. Here's how you can configure PIX for syslogging-


You can download a syslog server from following link, if required.


The name of the tool is Kiwi Syslog Server.


http://www.kiwisyslog.com/php/download.php?syslogd_kiwitools


Install the server on any system connected to PIX, and then reboot the server.


Now enter following commands on your PIX :


pix(config)# logging host [interface_name] [ip_address]

pix(config)# logging trap [level]

pix(config)# logging on


[interface_name] ----> name of interface on which syslog server is connected

(inside).

[ip_address] ----> ip address of workstation where you install sylog server.

[level] ----> level of logging desired.


Different levels are as follows:


0 - Emergencies - System unusable messages.

1 - Alerts - Take immediate attention.

2 - Critical - Critical Condition.

3 - Errors - Error messages (this is the default level)

4 - Warnings - Warning messages.

5 - Notifications - Normal but significant condition.

6 - Informational - Informational message.

7 - Debugging - Debug messages and log FTP commands and WWW URLs.


Either level no. or level name can be used in the above command.


Here is a link which tells in detail about all the syslog messages on PIX-


http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html


If you are using 7.x code-


http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/syslog/logmsgs.htm


Hope this helps.


Regards,

Vibhor.

Actions

This Discussion