RE: [fw-wiz] Syslog montioring and usage. (IMPORTANT CAUTION!!!!!)

From: Brian Ford (brford_at_cisco.com)
Date: 07/19/04

  • Next message: Wes Noonan: "RE: [fw-wiz] Syslog montioring and usage."
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 19 Jul 2004 11:39:08 -0400
    
    

    Paul and List;

    >PS - If you want to see everything the PIX can to the syslog server,
    >make sure 'logging console debugging' is set in the config.

    WARNING. Whatever you do please do not do this on a production PIX!!!!!!!

    "logging console debugging" sets the syslog level for messages sent to the
    _console_ (i.e. the console port or computer attached to the PIX via a
    serial cable) to debug. That will generate lots of traffic to the serial
    port and not to the syslog device.

    To set the syslog level for the syslog device use the command "logging trap
    ...".

    Unless you are actively debugging an issue ON A DEVICE ATTACHED TO THE
    CONSOLE PORT or trying to learn more about PIX on a non-production (or
    production PIX running at less than 40% CPU utilization) I would not
    suggest that you use "logging console...". By default this should be
    disabled in production PIX environments.

    Liberty for All,

    Brian

    At 10:55 PM 7/15/2004 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
    >Message: 8
    >Subject: RE: [fw-wiz] Syslog montioring and usage.
    >Date: Wed, 14 Jul 2004 09:00:23 -0400
    >From: "Melson, Paul" <PMelson@sequoianet.com>
    >To: "Chad Thomsen" <chad.thomsen@bramespecialty.com>,
    > <firewall-wizards@honor.icsalabs.com>
    >
    >Cisco publishes the definitions of all of the syslog messages that can
    >be generated by a PIX firewall:
    >
    >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63
    >syslog/index.htm
    >
    >As far as the 'IDS' syslog messages that it generates, keep in mind that
    >the PIX is only capable of "atomic" checks, meaning that it only alerts
    >on the behavior of a single packet. Aside from some older DoS attacks
    >and certain types of stealth port scans, the PIX is useless as an IDS.
    >
    >PaulM
    >
    >PS - If you want to see everything the PIX can to the syslog server,
    >make sure 'logging console debugging' is set in the config. Of course,
    >on a busy firewall, this can lead to ~300MB/day in log files, so it may
    >only be useful for a short period of time or when used in conjunction
    >with automated log analysis software.

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Wes Noonan: "RE: [fw-wiz] Syslog montioring and usage."