Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
6
Replies

Allow syslog server behind PIX

Go to solution
molinek
Level 1
Level 1

‎10-10-2003 07:13 PM - edited ‎02-20-2020 11:02 PM

Could someone point me to a config that permits a syslog server (Kiwi syslog) to get syslogs from behind the PIX. I have a 2K server with the KIWI syslog loaded behind a PIX 501.

I have the static command, access-group and access-list:

static (inside,outside) 192.104.109.92 192.168.15.200 netmask 255.255.255.255 0 0

access-group local_server in interface outside

access-list local_server permit udp any host 192.104.109.92 eq syslog

Man, I can't figure it out.

Thanks for any help

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
patrick.cannon
Level 1
Level 1

‎10-13-2003 04:29 PM

You could:

1. Do a capture for syslog port traffic directed at the syslog server.

2. terminal monitor - the deny traffic showed up clearly when I hadn't configured the firewall to pass the traffic. (note - beware doing on busy firewalls)

3. netstat -a on the syslog server

4. If you allow it, you should be able to portscan the server on the syslog port through your firewall.

5. Is your syslog capture file created? It doesn't get created if the service never started.

6. Does the service run in the context of system or perhaps another account that doesn't have the correct rights?

All the replies seemed to indicate an unstarted service which seemed likely. What you are describing happened to me when I had the daemon version also; I switched to the service version and the issue was resolved (once I opened the port.)

I love kiwi syslog. I use it with Snare and BacklogIIS and get alerts within 60 seconds to my mailbox when something bad happens. It always freaks my end users out when I call them with the problem resolved when they are still looking for my number to report the problem.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
mostiguy
Level 6
Level 6

‎10-11-2003 06:04 AM

So you want devices outside of the pix to log to that server? Those commands look fine - are you sure that the kiwi syslog is actually working - is it successfully logging anything?

You did apply the access-group command *after* you wrote the access-list, right?

0 Helpful

Go to solution
molinek
Level 1
Level 1
In response to mostiguy

‎10-11-2003 02:04 PM

Yes, I have several firewalls that I want to have them send syslogs to the host behind the PIX 501. I created the access-group earlier allong with some other access lists. I had some other access-lists with the same name to do some ICMP and then I thought that I could just add access-lists with the same name since I already have the access-group command tied to the outside interface. Do I have to re-apply the group command after I add access lists with the same name (local_server)?

Thanks

0 Helpful

Go to solution
dchen2
Level 1
Level 1
In response to molinek

‎10-11-2003 06:44 PM

Maybe you can try ping from outside firewall to kiwi syslog server first to make sure the network connectivity is there since you already have some ICMP access control lists applied on the same outside interface.

If it is pingable, then take a look at your kiwi version, you may have to download the service daemon version, otherwise you have to manually start the service every time you log off and logon again.

0 Helpful

Go to solution
mostiguy
Level 6
Level 6
In response to molinek

‎10-12-2003 10:01 AM

Yup, access-group after any change is necessary

0 Helpful

Go to solution
ovieira
Level 1
Level 1

‎10-13-2003 03:05 AM

Hi!

If you can ping the Syslog server than you must check to see if the Syslog service is running. Have you started Kiwi Syslog Service? From the "Manage" menu execute "Start the Syslogd Service".

Kiwi has a simple tool/sw that can generate logs to for testing the syslog server. Use it.

Regards

0 Helpful

Go to solution
patrick.cannon
Level 1
Level 1

‎10-13-2003 04:29 PM

You could:

1. Do a capture for syslog port traffic directed at the syslog server.

2. terminal monitor - the deny traffic showed up clearly when I hadn't configured the firewall to pass the traffic. (note - beware doing on busy firewalls)

3. netstat -a on the syslog server

4. If you allow it, you should be able to portscan the server on the syslog port through your firewall.

5. Is your syslog capture file created? It doesn't get created if the service never started.

6. Does the service run in the context of system or perhaps another account that doesn't have the correct rights?

All the replies seemed to indicate an unstarted service which seemed likely. What you are describing happened to me when I had the daemon version also; I switched to the service version and the issue was resolved (once I opened the port.)

I love kiwi syslog. I use it with Snare and BacklogIIS and get alerts within 60 seconds to my mailbox when something bad happens. It always freaks my end users out when I call them with the problem resolved when they are still looking for my number to report the problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card