PIX 7 Logging host issues

Unanswered Question
Dec 8th, 2005
User Badges:

We are running 7.0(2) on a pair of PIX 525. We have a syslog server and we are demoing a system that analyizes syslog messages, so we need the PIX to send syslog messages to two hosts.


We defined two hosts with the following commands, but discovered that the PIX does not send messages to the second host. If we reverse the order, it still will only send messages to the first host listed.


logging host inside 10.2.1.10

logging host inside 10.2.1.19


Is it possible to send messages to more than one syslog server?


Thanks,

Daris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
Loading.
spremkumar Fri, 12/09/2005 - 00:47
User Badges:
  • Red, 2250 points or more

hi


I dont think its possible to have 2 different servers configured to collect the logs...


do refer what the supporting doc says..


"You can specify only one syslog output command in your configuration. PIX Firewall sends all messages to the single facility you choose.


The SYSLOG server must be on the inside network.


You can specify only one syslog output command in your configuration. PIX Firewall sends all messages to the single facility you choose.


The SYSLOG server must be on the inside network.


PIX Firewall sends SYSLOG messages only to a single file on the receiving system."


http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00801162ec.html#1861



regds


bLoehle Fri, 12/09/2005 - 02:16
User Badges:

Hello,


I completely disagree with the above statement:


1.)

The above mentioned

"one syslog output"

concerns the pix command


logging facility

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008045277d.html#wp1585230


The logging facility must be unique,

because there is no coupling between the

entries of

loggings hosts and the logging facility.


2.) multiple logging hosts:

It is possible to you use

"multiple logging host commands", compare the command

logging host

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008045277d.html


We use normally 2 logging hosts for Cisco Pix system.


3.) The logging host can be located on any interface

of a Cisco Pix, even at the ouside interface

or the interface with the lowest security level.


In the case of the interface with the security level value 0, this means normally the outside interface,

one gets a warning of the following form:


WARNING: interface outside security level is 0


This warning is reasonable, because such a

firewall logging architecture is insecure and

only appropriate for testing purposes.


Regards, Barbara


dbouthillier Fri, 12/09/2005 - 09:30
User Badges:

Barbara,


You're obviously correct. The information that spremkumar quoted was from the Pix 4.0 documentation. The reference under your point 2 is from the 7.0 command reference guide. I read it and it clearly states that you can configure multiple hosts. I wonder if this is a problem specific to 7.0(2).


We had it working in 5.2 Just noticed that it wasn't working in 7.


So, back to my question, why can't I get it to work? Anyone??


mikkoss Sun, 12/11/2005 - 08:35
User Badges:

Hi,


This is a known bug in PIX 7.0(2) which was fixed in some of the interm releases.

(BUG CSCei68587)


Upgrading to version 7.0(4) fixed this for me.


Actions

This Discussion