Pix and SysLog
Results 1 to 10 of 10

Thread: Pix and SysLog

  1. #1
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    Pix and SysLog

    I am using Kiwi syslog and a Pix, it's an inherent objectity of the Pix to block my internal syslog messages (?) and I am trying to get them from my Pix to my syslog server.

    Kiwi help docs, even make a statement that the Pix blocks connection to the syslog server. I know some have accomplished this task based on other threads on the same discussion. What is the trick to get this up and running??

    Here is my Pix command statment, it takes this syntax without a specification for the type of protocol used UDP/TCP but once I try and force a protocal to the syslog server it tells me I am out of range, even if I try and force a specific port for offloading the syslog messages. Oh and I am using the pix default Local4 pipe. IPs are made up for discussion.

    pix# logging host inside 192.1.10.234

    the pix takes that but I don't see anything on the syslog server at 192.1.10.234 runing KiWi

    now if i force UDP

    pix# logging host inside 192.1.10.34 UDP
    I get an error on the pix "port out of range: 1025-65535

    ok so I figure pix is blocking ports. So I try and force UDP to use port 5514. Not clear on the syntax so I try

    pix# logging host inside 192.1.10.234:5514 UDP
    bad syntax all together, syntax in documentation suggests protocol/port
    so,
    pix# logging host inside 192.1.10.34 UDP 5514

    That produces the same out of range error. Hmmmm? Any PixGrus out there figured out my brain hole in the understanding of syslog. I do know 2 things about it. It can use TCP or UDP. and there are pipes and levels. Ok maybe three things, what am I missing?

    TIA
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Cisco has their own syslogd service for windows. That is what I am using and it works fine. If you go to the cisco site, just type in PIX syslogd and you should get the link to download it. There is some minor configs to do with it but it is relatively painless.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    Yep

    Thanks for the info, I am familiar with Cisco's syslog server in that I know it's available for free from their TAC site. In terms of my long range goals I would love to get the Kiwi syslog up. If possible.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I realize it isn't KiWi, but this site has some pretty detailed explanations of how to setup pix logging to the syslog facility:

    http://www.cisco.com/en/US/products/...80094030.shtml

    This article was interesting because it talked about running syslog over a VPN connection...Gonna have to read into this a little more...

    http://www.sans.org/rr/papers/33/199.pdf

    Setting up kiwi and filters:

    http://www.sans.org/rr/papers/33/201.pdf

    Finally, logging cisco pix (similar to first link I referenced):

    http://www.cisco.com/warp/public/110/pixsyslog.html


    I personally am leaning against you needing to specify the protocol (I assume you are running Kiwi so that it mirrors a standard syslogd server). It should default to udp/514. I would suspect that you are missing some configuration parameters before you set your syslog server, for example, telling it what facility to use...

    Ours has something to the effect:

    logging on
    logging timestamp
    logging buffered critical
    logging trap critical
    logging history warnings
    logging facility 21
    logging host <interface> <IP of syslogd server>

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    Thanks Nebulus

    I read those cisco links many many times. My configuration looks eactly like yours as well. Except my Facility is different. Might change it to 20 just for SAG.

    Off to sans.org now.

    Oh make that 20 not 21 (edit)

    I have it now thank you all very much. (Bows to pix and syslog gods everywhere)
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If you don't mind, what corrected it?

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    LOL

    I was trying to "avoid" that question and my answer. Basically I pulled my head from a rectal cranial inversion. I sumise that said PIX cannot support the command I was trying to give it, so I looked at Kiwi. Great tool BTW, and noticed that a log was being generated and building quite fast, since I started logging everything on the pix. I went back into the Kiwi console and, WTF, it doesn't DEFAULT to display anything. So I basically checked a box for Action = Display.



    In the process I learned a great deal about the Syslog process and I have started deploying other ways to get data to that syslog server.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Heh heh, I will have to remember that about Kiwi. BTW, glad you brought up pix logging, you made me realize that something wasn't working right on my pix logging (had trap set to critical instead of warning and was missing all the denies).

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    Firewall logging

    Yeah you would want to see the deny's. I have been playing with the levels off and on. I have left it at Severity level 3 for now. That is One above critical according to Cisco Docs. I also would like to know if the firewall generates an error and that level also generates a message when "the pix experiences and error." Maybe that can help prevent outages?

    BTW, went to Barnes and Noble and picked up a copy of "Cisco Pix Firewalls" by Richard A. Deal. It's a decent book and is much more explanitory than Cisco canned documentation. It's not all inclusive but still a good buy. ISBN 0-07-222523-8
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Junior Member
    Join Date
    Apr 2003
    Posts
    18
    I have had a similar problem at a number of sites. I finally broke down and instead of setting syslog up at the cli I did it through the Pixs' PDM web interface. Not sure what is different about doing it that way but it works. Maybe if I have time I can pull the config from one of the sites I manage and determing what I was doing wrong before. I am using KIWI's syslog daemon at most of the sites I am referring to, so its not your syslog software.
    Heres cisco's url for their syslog documentation on the PIX. http://www.cisco.com/warp/public/110/pixsyslog.pdf Hope this helps.

    Doh! you already had the problem fixed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •