Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

syslog message monitoring for PIX 525

I would like to know that, It is possible to capture whatever traffic across my PIX firewall. I would like to use this logg message to visualize the detail of traffic ( tcp/udp port, host address or subnet ) running in and out my network. I wish to use this logg mesages as an reference point of my future policy implementation.

3 REPLIES

Re: syslog message monitoring for PIX 525

Yes it is possible to log this info. You will use the "logging" command for this. Example "logging on" and "logging host inside x.x.x.x". You can change the logging level to meet you needs and can disable logging of specific messages if you want (eg "no logging message xxxx").

See link: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9ea.html#xtocid16

However, the amount of this data will be too hard to read without the use of software to help. Some products that will create these reports (and more) for you are PDM, Network Intelligence (NIE) and eSecurity.

Hope it helps.

Steve

New Member

Re: syslog message monitoring for PIX 525

Hey Steve,

Thanks for your feed back.

Just would like to confirm with u.

Am I right to chose the "level 7 -debugging", in order to capture all logging traffic ?

Could you help to explain the detail of the "facility" componet ?

" Eight facilities LOCAL0(16) through LOCAL7(23)"

Which facilities I have to select, ?

Am I right to chose "LOCAL7(23)"

Thanks

Re: syslog message monitoring for PIX 525

Logging debugging will give you tons of info, probably more than you need. Try it and see what you get, then whatever messages you don't want, use the no logging mess x to not log it anymore. Fine tune it the way you want.

All syslog messages will have a logging facility and a level (severity). The logging facility can be thought of as where and the level can be thought of as what. The syslog daemon (syslogd) can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe on which the information arrives. The logging facilities are the pipes by which the syslogd decides where to send information it receives.

To be honest though only about half of my implementations do I actually use the logg fac command, the rest I leave at the default and it always works fine. But feel free to use the command.

As include the command "logging timestamp" so you know the date/time of the event.

Also don't use the command "logging host x.x.x.x tcp x" because this traffic is TCP (that is, with acknowledgments), if the syslog server goes down, traffic through the PIX will stop; for that reason, the tcp syslog command should not be implemented unless you need this kind of functionality! UDP/514 syslogging does not have this effect.

Hope it helps.

Steve

515
Views
3
Helpful
3
Replies
CreatePlease to create content