RE: [fw-wiz] Syslog set up

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 07/24/03

  • Next message: User Scarr: "Re: [fw-wiz] Watchguard V60 capacity"
    To: "\"Doug Garrison\" <doug.garrison@tagtmi.com>" <IMCEANOTES-+22Doug+20Garrison+22+20+3Cdoug+2Egarrison+40tagtmi+2Ecom+3E@sequoianet.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 24 Jul 2003 08:45:00 -0400
    
    

    I think a gung-ho approach is best in this situation; "Log 'em all, let the analyzer sort 'em out." :-)

    Anyway, to get the PIX logging, it's just:

    !-- facility can be anything so long as its unique to your syslog server
    logging facility 20
    !-- level 7 == debugging == most verbose
    logging trap 7
    !-- pick a victim, if no protocol/port is specified, UDP/514 is used
    logging host inside 111.222.333.444 udp/1028
    !-- Also, using TCP syslog can cause the PIX to freeze if it can't
    !-- communicate with the syslog server - once the log buffer is full
    !-- it stops passing traffic. Use UDP if at all possible.

    PaulM

    > -----Original Message-----
    > I am looking for a document or suggestions on setting up what events to log
    > on a Cisco PIX. I am not concerned about following our security policy yet
    > I just need a 'Best Practice" type of document to get started from.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: User Scarr: "Re: [fw-wiz] Watchguard V60 capacity"

    Relevant Pages

    • RE: CISCO PIX and syslog server UDP info messages
      ... CISCO PIX and syslog server UDP info messages ... The PIX will stop logging this message, but it will not affect the general ...
      (Security-Basics)
    • Re: [fw-wiz] Syslog set up
      ... You forgot the "logging on" command. ... That is a very common PIX Syslog ... this is all on one pretty GUI screen within PIX Device Manager. ... Make sure that your Syslog server can keep up with the ...
      (Firewall-Wizards)
    • Re: Syslog host and logging configuration
      ... > If the PIX can't talk with the syslog server, how can i configure the pix ... > for no do it without disable logging host command? ... > A. This error means that you are doing "reliable TCP syslog" to a PIX ... > Firewall Syslog Server software on a Windows NT system and that the ...
      (comp.security.firewalls)
    • Re: [Edit] VPN pix 506 to 501 ...
      ... After, if that not resolve the problem, i will change the crypto map by ... > which tells the PIX to ignore the interface ACLs for tunnel traffic. ... unless you had turned that off with 'logging message'... ...
      (comp.dcom.sys.cisco)
    • Re: Cisco ASA logging
      ... going to be reverse DNS them because it is going to treat the entire ... the PIX would automatically pull back through 'name' translation. ... You could configure any Unix syslog server to ... around for something akin to "debug inspect http"; ...
      (comp.dcom.sys.cisco)