Re: [fw-wiz] pix and syslog

From: Florin Andrei (florin_at_sgi.com)
Date: 05/30/03

  • Next message: James Baumgardner: "RE: [fw-wiz] Home Environment Cisco" 
    To: firewall-wizards@honor.icsalabs.com
Date: 30 May 2003 14:17:08 -0700

    On Fri, 2003-05-30 at 10:22, Luca Berra wrote:
    > hello,
    > i have a pix version 6.3.1 configured to log via syslog on an HP-UX server.
    > I would like to log packets permitted by a particular rule of an
    > access-list to see if i can tighten it. so i have
    >
    > access-list sarca permit tcp any host 4.5.6.7 log 4 interval 600
    >
    > in the buffer log i see something like
    > 106100: access-list sarca permitted tcp sarca/1.2.3.4(3796) ->
    > inside/4.5.6.7(80) hit-cnt 1 (first hit)
    >
    > on the syslogserver i see:
    >
    > ..: %PIX-4-106100: access-list usi permitted tcp sarca/1.2.3.4(3796) ->
    >
    > is there any known issue on newlines and syslog?

    While i cannot say for sure that there is indeed an issue with the HP-UX
    version of syslog, this strikes me as a "deja-vu" type of thing. I've
    seen quite a few small oddities like that while playing with various
    syslog implementations.
    Try and use a different syslog, maybe on a different OS, just
    temporarily, just for tests.

    It's been a while since i started to do some heavy syslogging with
    msyslog-1.08e on Linux Red Hat 7.2, with a SQL backend, and so far there
    were no issues, neither small nor big.

    http://sourceforge.net/projects/msyslog/ 

    -- 
Florin Andrei
"Good people do not need laws to tell them to act responsibly,
while bad people will find a way around the laws." - Plato
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: James Baumgardner: "RE: [fw-wiz] Home Environment Cisco"

    Relevant Pages

    • [fw-wiz] pix and syslog
      ... i have a pix version 6.3.1 configured to log via syslog on an HP-UX server. ...
      (Firewall-Wizards)
    • RE: where should I start? help!
      ... you could also use the syslog feature in any *NIX system ... Plus there are tons of log analyzers for ... from your PIX to the listening device. ... and you can have more than one logging host system if need be. ...
      (Security-Basics)
    • Re: [fw-wiz] Syslog montioring and usage.
      ... While the PIX doesn't have a "port scan" syslog message it does log what it ... source IP address of the packets, as well as the protocol and port the ...
      (Firewall-Wizards)
    • RE: [fw-wiz] pix 501 logging question
      ... it's a deny, right?), which would lead to more syslog data from persistent ... log level for access-list logging is 6, but if you can see one you should ... You don't need to force the PIX to log these denials, ... access-list inbound permitted tcp outside/205.206.xxx.xxx-> ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Syslog montioring and usage.
      ... front of the pix so I can see how well it is doing. ... together a list of PIX syslog messages that IMO deserve "special" ... > Cisco publishes the definitions of all of the syslog messages that can ... > be generated by a PIX firewall: ...
      (Firewall-Wizards)