How to log VPN connections to PIX 515E

fmt_cisco · ‎10-10-2007

I've got a PIX 515E with PIX Firewall Version 6.3(3). For the moment, I've setup a group VPN.

What I'd like to do is to log every VPN connection to this PIX.

I've setup a syslogd. Trap level is set to informational. But with this level, I've got too many informations! And that generates more than 30MB of data everyday!

I know I need to narrow down on the messages, but I don't know what syslog ID's to use in order to know the connections (and probably disconnections as well).

Could somebody help me?

Danilo Dy · ‎10-10-2007

Hi,

I use Kiwi Syslog, use it for both PIX/IPSec and ASA/SSL-WebVPN. You can setup the PIX to send all logs from level 0 to 6 but in Kiwi Syslog, configure it to receive only "Authentication"

File + Setup + Rules + Add Rule

Rule Name: MyVPN

File + Setup + Rules + MyVPN + Filters + Add filter

Filter Name: MyVPN-AUTH

File + Setup + Rules + MyVPN + Filters + MyVPN-AUTH

Field: Message text

Filter Type: Simple

Include: "Authentication"

File + Setup + Rules + MyVPN + Actions + Add action

Action Name: Display

Action: Display

Display number: Display 00 (Default)

File + Setup + Rules + MyVPN + Actions + Add action

Action Name: Log to file

Action: Log to file

Path and file name of logfile: your path and filename

Log file format: choose your format

In the logs, you will see the following;

User name

User group

Source IP Address

Authentication: Successful or Rejected and Session type

Good luck!

Regards,

Dandy

fmt_cisco · ‎10-12-2007

I've tried exactly as you suggested, but I got nothing: no log is received!

I'm using group VPN. Is that the cause?