Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't see login or config messages in PIX syslog

We have a pix 525 (v6.2.2). Syslog messages are directed to a syslog server using the following config:

logging on

logging timestamp

logging trap debugging

logging host inside 10.0.0.4

Show logging give the following output:

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level debugging, 26644891 messages logged

Logging to inside 10.0.0.4

History logging: disabled

Our problem is that we can't see any messages with regards to who did what....e.g. console login, executing 'config t' etc. We only get messages that show the various packets being passed through the pix. There are no users defined on the pix box, it is strictly console only (no telnet). Any chance you can help!

3 REPLIES
Bronze

Re: Can't see login or config messages in PIX syslog

Check the following URL to get the meaning of all syslog messages.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm

Some sample messages with meanings

%PIX-5-111001: Begin configuration: IP_addr writing to device

Explanation This message is logged when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_addr indicates whether the login was made at the console port or via a Telnet connection.

Action None required.

%PIX-5-111003: IP_addr Erase configuration

Explanation This is a PIX Firewall management message. This message is logged when you erase the contents of Flash memory by entering the write erase command at the console. The IP_addr indicates whether the login was made at the console port or via a Telnet connection

New Member

Re: Can't see login or config messages in PIX syslog

It sounds like you might be looking for version control? If so , there are products that will let you do that, CiscoWorks being one of them. Every time a change is made on a router, it is recorded in the CW database, and you can go back several different versions of the config (ie - back to last month's config).

Other than those cryptic syslog messages, there is no real way to see exactly what commands were entered on the PIX...

Hope that helps....

Cisco Employee

Re: Can't see login or config messages in PIX syslog

If you want to see who did what on the PIX, then you need to add authentication at the least. See http://www.cisco.com/warp/public/110/authtopix.shtml for details. Note in 6.3 you can use the local user database, you don't have to use a TACACS/Radius server.

131
Views
0
Helpful
3
Replies
CreatePlease login to create content