Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Common Syslog messages to omit

Hi,

I wanted to know what are some of the most common PIX syslog messages that folks omit from having logged (i.e. no logging message xxxxxx).

Is it common to get rid of 106011?

Let me know.

Thanks,

Chris

4 REPLIES
Cisco Employee

Re: Common Syslog messages to omit

After looking at 1000's of customers configs, hardly any of them omit any syslogs. I guess the whole idea of logging is to capture as much as you can, it may come in handy later on. As long as it's not putting a huge load on your PIX or on your network, I would recommend logging everything, safer from a legal standpoint then in case it's ever needed.

New Member

Re: Common Syslog messages to omit

That is a good point. I make a habit to look at the syslogs everyday.

If I don't omit things, the logs are well over 1MB in size....which can be ridiculous to look at everyday (i.e. over 1MB of text).

Do you, from your experience gather that sysadmins "suck it up" and just read through the logs anyways or do you find that many people don't look at them unless there is a problem, or that some other tool is used to look for suspicious things and then reports those events accordingly?

Let me know, I appreciate your time.

-Chris

New Member

Re: Common Syslog messages to omit

In my opinion, this is one of those areas where you have to seriously consider whether or not the benefit of looking at the entire syslog is worth the amount time it's going to take you to do it well. In my own case, it simply wasn't worth it. We have two PIX525's terminating about 90 VPN tunnels as well as two 515's with another 20 tunnels. The 525's alone generate about 1100 syslog messages an hour so it's just not practical to view them all. Here's my recommendation, if your network is new or if you're new to the network it's a good idea to monitor the entire syslog. After a month or so you'll be familiar enough with the logs that you'll be able to spot anything out of the ordinary very easily. You'll also have a very good idea of which logs don't mean much and can filter those out accordingly.

My two cents.

Cody Rowland

Infrastructure Engineer

New Member

Re: Common Syslog messages to omit

I appreciate you taking the time to answer.

The network isn't new...actually about 3 years old...and yes, I have already a while ago actually, blocked logging of certain messages. It's just a couple of my offices exist in Asia, and you could imagine the amount of port scanning that goes on over there...about 10 fold of what it is in the US.

It makes me feel better that someone else deals with the same issue.

Thanks,

Chris

138
Views
0
Helpful
4
Replies