PIX URL Logging with Hostname

Unanswered Question
Feb 24th, 2010

I am trying to log URLs that are being requested through my PIX FW by internal users. I can get this to work somewhat by using syslog and logging message 304001. This logs all URLs being requested through the PIX for both inside requests and outside requests but it seems to remove the actual requested hostname in the URL and replaces it with an IP address. Is there anyway to get it to stop removing the hostname? I need to show this to different managers in different departments and cannot show them a bunch of IP addresses. Or is there a better way to track the URLs being requested by inside hosts using the PIX than this method? PIX version is 7.2(3) . Here is the relevant configuration:

pager lines 24
logging enable
logging standby
logging buffered informational
logging trap informational
logging host inside x.x.x.x
logging host inside sysloghost
no logging message 313003
no logging message 313001
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302012
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020

logging message 304001

As always thanks for any help here.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Wed, 02/24/2010 - 14:02

Make sure you are running one these codes          008.002(001.010)          008.001(002.014)          008.000(005)          008.000(004.024)

syslog url host name has been resolved as part of this defect CSCsw68513 ASA syslog msgs should Display Url Hostname.

syslog  304001 will display hostname.

-KS

rfranzke Wed, 02/24/2010 - 14:24

Outstanding, Thanks for this. Looks like there is an upgrade in my future. Thanks again.

rfranzke Thu, 03/25/2010 - 13:23

OK pulled off the upgrade last night (no thanks to a stale arp entry in one of our gateways). The PIX still does not show the URL in the syslog messages. Here is what I have:

logging rate-limit 50 1 message 304001

C515-A# sh ver

Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)

Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"

here is an example log entry:

Mar 25 12:32:40 C515-A %PIX-5-304001: 10.10.50.245 Accessed URL 157.166.224.4:/people/mhoncho/avatar/48.png

Clearly it is not doing this so either I have put the wrong software on the PIX or its still not fixed. I am assuming its the wrong version. Any other ideas?

rfranzke Thu, 03/25/2010 - 13:29

Also the bug ID shows this as being for ASA devices not the PIX. Is this for ASA devices only?

Kureli Sankar Thu, 03/25/2010 - 13:51

It is fixed in 8.0.4(24) not in 8.0.4.

You do not have the code where it is fixed.

-KS

rfranzke Thu, 03/25/2010 - 14:12

OK thanks. I will get with the TAC then. Thanks for the help.

rfranzke Thu, 03/25/2010 - 15:02

Latest I see as being available for download is the one I am running which does not contain the fix. There is an 8.0.5 for ASA but none for PIX. At least when I visit the download page. The TAC is sending me the 8.0.4(24) version over now which should fix me up.I will ask about the 8.0.5 though. Thanks for the input.

rfranzke Thu, 03/25/2010 - 16:08

TAC just confirmed that there is no 8.0.5 code for the PIX. Maybe ASA but not PIX which is what I have. Thanks again for the reply.

.

Actions

This Discussion