PIX Syslog format

MagellanTX · ‎11-09-2002

Can someone explain how to decode the PRI section of the PIX Syslog packet?

I am familiar with decoding PRI's of <190> and those types, but I have never seen the ones that the PIX sends. 304001 and 106011 are the most common I see, but I don't know how to break these down into their facility and severity.

Thanks for the help!!

steve.barlow · ‎11-10-2002

If a message is listed in syslog as %PIX-1-101001, "101001" is the message identifier number (ie the message ID) and the "1" is the severity.

So in detail, the format is "%PIX-Level-Message_number: Message_text":

"PIX" identifies the message facility code for messages generated by the PIX Firewall.

"Level" reflects the severity of the condition described by the message. The lower the number, the more severe the condition. Logging is set to level 3 (error) by default.

"Message_number" is the number code that uniquely identifies the message (meesage ID).

"Message_text" is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames.

Here are the PIX 6.2 syslog messages: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00800eca3d.html

Here they are grouped by severity: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00800eca3f.html

Hope it helps.

Steve

MagellanTX · ‎11-10-2002

That answered my question. Thanks for the help!!