01-15-2007 02:40 AM - edited 03-11-2019 02:19 AM
Hi
I have a pix 515, and I'd like to log all traffic that goes through. The aim of my exercise is to see which servers are making https requests to a site with IP a.b.c.d. Currently I have the following config:
logging on
logging timestamp
logging console warnings
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside 10.11.9.19
no logging message 106015
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 302016
Currently the above config is only showing me deny statements, not showing me all requests going through. Any ideas?
Thanks for any help
Dan
01-15-2007 06:34 AM
You could create a specific permit statement and log it. That will make the logs easier to read.
access-list inside_access permit tcp object-group SERVERS host a.b.c.d eq 443 log
HTH and please rate.
01-15-2007 07:24 AM
Hi Dan,
You are not receiving the TCP built connection events in your syslog server, because logging of that particular event is disabled in your config.
syslog event id 305011 is for sending syslog messages for the new TCP/UDP/ICMP connections that are built in the state table of the firewall.
As you have disabled this event in your configuration, you are not receiving this event.
Refer to this URL for explanation of syslog message numbers.
To enable the same, issue the following command in the global config of the firewall.
logging message 302015
Now you should receive the messages in your syslog server for the new tcp/udp/icmp connections that are getting built in your firewall.
However you should make a note that you cannot filter the generation of any syslog event by source/dest ip.
So by enabling the above statement, you will get the tcp/udp/icmp connections that are getting built for all the traffic in the firewall, not just restricted to any source/destination ip addresses.
Hence you would have to examine the actual file in your syslog server, to which those syslog messages are logged, to search for any specific entry.
Hope this helps. Kindly Rate the post if it does.
-VJ
01-22-2007 03:01 PM
The best way I know to get those messages is to setup an ACL on the interfaces you want to log and make sure the log command is in the ACL.
Ex.
access-list Test extended permit ip any any log informational
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: