Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow syslog server behind PIX

Could someone point me to a config that permits a syslog server (Kiwi syslog) to get syslogs from behind the PIX. I have a 2K server with the KIWI syslog loaded behind a PIX 501.

I have the static command, access-group and access-list:

static (inside,outside) 192.104.109.92 192.168.15.200 netmask 255.255.255.255 0 0

access-group local_server in interface outside

access-list local_server permit udp any host 192.104.109.92 eq syslog

Man, I can't figure it out.

Thanks for any help

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Allow syslog server behind PIX

You could:

1. Do a capture for syslog port traffic directed at the syslog server.

2. terminal monitor - the deny traffic showed up clearly when I hadn't configured the firewall to pass the traffic. (note - beware doing on busy firewalls)

3. netstat -a on the syslog server

4. If you allow it, you should be able to portscan the server on the syslog port through your firewall.

5. Is your syslog capture file created? It doesn't get created if the service never started.

6. Does the service run in the context of system or perhaps another account that doesn't have the correct rights?

All the replies seemed to indicate an unstarted service which seemed likely. What you are describing happened to me when I had the daemon version also; I switched to the service version and the issue was resolved (once I opened the port.)

I love kiwi syslog. I use it with Snare and BacklogIIS and get alerts within 60 seconds to my mailbox when something bad happens. It always freaks my end users out when I call them with the problem resolved when they are still looking for my number to report the problem.

6 REPLIES
Silver

Re: Allow syslog server behind PIX

So you want devices outside of the pix to log to that server? Those commands look fine - are you sure that the kiwi syslog is actually working - is it successfully logging anything?

You did apply the access-group command *after* you wrote the access-list, right?

New Member

Re: Allow syslog server behind PIX

Yes, I have several firewalls that I want to have them send syslogs to the host behind the PIX 501. I created the access-group earlier allong with some other access lists. I had some other access-lists with the same name to do some ICMP and then I thought that I could just add access-lists with the same name since I already have the access-group command tied to the outside interface. Do I have to re-apply the group command after I add access lists with the same name (local_server)?

Thanks

New Member

Re: Allow syslog server behind PIX

Maybe you can try ping from outside firewall to kiwi syslog server first to make sure the network connectivity is there since you already have some ICMP access control lists applied on the same outside interface.

If it is pingable, then take a look at your kiwi version, you may have to download the service daemon version, otherwise you have to manually start the service every time you log off and logon again.

Silver

Re: Allow syslog server behind PIX

Yup, access-group after any change is necessary

New Member

Re: Allow syslog server behind PIX

Hi!

If you can ping the Syslog server than you must check to see if the Syslog service is running. Have you started Kiwi Syslog Service? From the "Manage" menu execute "Start the Syslogd Service".

Kiwi has a simple tool/sw that can generate logs to for testing the syslog server. Use it.

Regards

New Member

Re: Allow syslog server behind PIX

You could:

1. Do a capture for syslog port traffic directed at the syslog server.

2. terminal monitor - the deny traffic showed up clearly when I hadn't configured the firewall to pass the traffic. (note - beware doing on busy firewalls)

3. netstat -a on the syslog server

4. If you allow it, you should be able to portscan the server on the syslog port through your firewall.

5. Is your syslog capture file created? It doesn't get created if the service never started.

6. Does the service run in the context of system or perhaps another account that doesn't have the correct rights?

All the replies seemed to indicate an unstarted service which seemed likely. What you are describing happened to me when I had the daemon version also; I switched to the service version and the issue was resolved (once I opened the port.)

I love kiwi syslog. I use it with Snare and BacklogIIS and get alerts within 60 seconds to my mailbox when something bad happens. It always freaks my end users out when I call them with the problem resolved when they are still looking for my number to report the problem.

117
Views
0
Helpful
6
Replies
This widget could not be displayed.