Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
3
Replies

Can't see login or config messages in PIX syslog

zabbas
Level 1
Level 1

‎04-10-2003 06:58 AM - edited ‎02-20-2020 10:40 PM

We have a pix 525 (v6.2.2). Syslog messages are directed to a syslog server using the following config:

logging on

logging timestamp

logging trap debugging

logging host inside 10.0.0.4

Show logging give the following output:

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level debugging, 26644891 messages logged

Logging to inside 10.0.0.4

History logging: disabled

Our problem is that we can't see any messages with regards to who did what....e.g. console login, executing 'config t' etc. We only get messages that show the various packets being passed through the pix. There are no users defined on the pix box, it is strictly console only (no telnet). Any chance you can help!

0 Helpful
3 Replies 3

hadbou
Level 5
Level 5

‎04-16-2003 07:27 AM

Check the following URL to get the meaning of all syslog messages.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm

Some sample messages with meanings

%PIX-5-111001: Begin configuration: IP_addr writing to device

Explanation This message is logged when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_addr indicates whether the login was made at the console port or via a Telnet connection.

Action None required.

%PIX-5-111003: IP_addr Erase configuration

Explanation This is a PIX Firewall management message. This message is logged when you erase the contents of Flash memory by entering the write erase command at the console. The IP_addr indicates whether the login was made at the console port or via a Telnet connection

0 Helpful

robhorniachek
Level 1
Level 1

‎04-16-2003 07:37 AM

It sounds like you might be looking for version control? If so , there are products that will let you do that, CiscoWorks being one of them. Every time a change is made on a router, it is recorded in the CW database, and you can go back several different versions of the config (ie - back to last month's config).

Other than those cryptic syslog messages, there is no real way to see exactly what commands were entered on the PIX...

Hope that helps....

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to robhorniachek

‎04-16-2003 04:03 PM

If you want to see who did what on the PIX, then you need to add authentication at the least. See http://www.cisco.com/warp/public/110/authtopix.shtml for details. Note in 6.3 you can use the local user database, you don't have to use a TACACS/Radius server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card