10-10-2003 07:13 PM - edited 02-20-2020 11:02 PM
Could someone point me to a config that permits a syslog server (Kiwi syslog) to get syslogs from behind the PIX. I have a 2K server with the KIWI syslog loaded behind a PIX 501.
I have the static command, access-group and access-list:
static (inside,outside) 192.104.109.92 192.168.15.200 netmask 255.255.255.255 0 0
access-group local_server in interface outside
access-list local_server permit udp any host 192.104.109.92 eq syslog
Man, I can't figure it out.
Thanks for any help
Solved! Go to Solution.
10-13-2003 04:29 PM
You could:
1. Do a capture for syslog port traffic directed at the syslog server.
2. terminal monitor - the deny traffic showed up clearly when I hadn't configured the firewall to pass the traffic. (note - beware doing on busy firewalls)
3. netstat -a on the syslog server
4. If you allow it, you should be able to portscan the server on the syslog port through your firewall.
5. Is your syslog capture file created? It doesn't get created if the service never started.
6. Does the service run in the context of system or perhaps another account that doesn't have the correct rights?
All the replies seemed to indicate an unstarted service which seemed likely. What you are describing happened to me when I had the daemon version also; I switched to the service version and the issue was resolved (once I opened the port.)
I love kiwi syslog. I use it with Snare and BacklogIIS and get alerts within 60 seconds to my mailbox when something bad happens. It always freaks my end users out when I call them with the problem resolved when they are still looking for my number to report the problem.
10-11-2003 06:04 AM
So you want devices outside of the pix to log to that server? Those commands look fine - are you sure that the kiwi syslog is actually working - is it successfully logging anything?
You did apply the access-group command *after* you wrote the access-list, right?
10-11-2003 02:04 PM
Yes, I have several firewalls that I want to have them send syslogs to the host behind the PIX 501. I created the access-group earlier allong with some other access lists. I had some other access-lists with the same name to do some ICMP and then I thought that I could just add access-lists with the same name since I already have the access-group command tied to the outside interface. Do I have to re-apply the group command after I add access lists with the same name (local_server)?
Thanks
10-11-2003 06:44 PM
Maybe you can try ping from outside firewall to kiwi syslog server first to make sure the network connectivity is there since you already have some ICMP access control lists applied on the same outside interface.
If it is pingable, then take a look at your kiwi version, you may have to download the service daemon version, otherwise you have to manually start the service every time you log off and logon again.
10-12-2003 10:01 AM
Yup, access-group after any change is necessary
10-13-2003 03:05 AM
Hi!
If you can ping the Syslog server than you must check to see if the Syslog service is running. Have you started Kiwi Syslog Service? From the "Manage" menu execute "Start the Syslogd Service".
Kiwi has a simple tool/sw that can generate logs to for testing the syslog server. Use it.
Regards
10-13-2003 04:29 PM
You could:
1. Do a capture for syslog port traffic directed at the syslog server.
2. terminal monitor - the deny traffic showed up clearly when I hadn't configured the firewall to pass the traffic. (note - beware doing on busy firewalls)
3. netstat -a on the syslog server
4. If you allow it, you should be able to portscan the server on the syslog port through your firewall.
5. Is your syslog capture file created? It doesn't get created if the service never started.
6. Does the service run in the context of system or perhaps another account that doesn't have the correct rights?
All the replies seemed to indicate an unstarted service which seemed likely. What you are describing happened to me when I had the daemon version also; I switched to the service version and the issue was resolved (once I opened the port.)
I love kiwi syslog. I use it with Snare and BacklogIIS and get alerts within 60 seconds to my mailbox when something bad happens. It always freaks my end users out when I call them with the problem resolved when they are still looking for my number to report the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide