Pix and SysLog

Printable View

July 1st, 2003, 07:54 PM
RoadClosed

Pix and SysLog

I am using Kiwi syslog and a Pix, it's an inherent objectity of the Pix to block my internal syslog messages (?) and I am trying to get them from my Pix to my syslog server.

Kiwi help docs, even make a statement that the Pix blocks connection to the syslog server. I know some have accomplished this task based on other threads on the same discussion. What is the trick to get this up and running??

Here is my Pix command statment, it takes this syntax without a specification for the type of protocol used UDP/TCP but once I try and force a protocal to the syslog server it tells me I am out of range, even if I try and force a specific port for offloading the syslog messages. Oh and I am using the pix default Local4 pipe. IPs are made up for discussion.

pix# logging host inside 192.1.10.234

the pix takes that but I don't see anything on the syslog server at 192.1.10.234 runing KiWi

now if i force UDP

pix# logging host inside 192.1.10.34 UDP
I get an error on the pix "port out of range: 1025-65535

ok so I figure pix is blocking ports. So I try and force UDP to use port 5514. Not clear on the syntax so I try

pix# logging host inside 192.1.10.234:5514 UDP
bad syntax all together, syntax in documentation suggests protocol/port
so,
pix# logging host inside 192.1.10.34 UDP 5514

That produces the same out of range error. Hmmmm? Any PixGrus out there figured out my brain hole in the understanding of syslog. I do know 2 things about it. It can use TCP or UDP. and there are pipes and levels. Ok maybe three things, what am I missing?

TIA
July 1st, 2003, 07:56 PM
thehorse13

Cisco has their own syslogd service for windows. That is what I am using and it works fine. If you go to the cisco site, just type in PIX syslogd and you should get the link to download it. There is some minor configs to do with it but it is relatively painless.
July 1st, 2003, 08:21 PM
RoadClosed

Yep

Thanks for the info, I am familiar with Cisco's syslog server in that I know it's available for free from their TAC site. In terms of my long range goals I would love to get the Kiwi syslog up. If possible.
July 1st, 2003, 08:23 PM
nebulus200

I realize it isn't KiWi, but this site has some pretty detailed explanations of how to setup pix logging to the syslog facility:

http://www.cisco.com/en/US/products/...80094030.shtml

This article was interesting because it talked about running syslog over a VPN connection...Gonna have to read into this a little more...

http://www.sans.org/rr/papers/33/199.pdf

Setting up kiwi and filters:

http://www.sans.org/rr/papers/33/201.pdf

Finally, logging cisco pix (similar to first link I referenced):

http://www.cisco.com/warp/public/110/pixsyslog.html

I personally am leaning against you needing to specify the protocol (I assume you are running Kiwi so that it mirrors a standard syslogd server). It should default to udp/514. I would suspect that you are missing some configuration parameters before you set your syslog server, for example, telling it what facility to use...

Ours has something to the effect:

logging on
logging timestamp
logging buffered critical
logging trap critical
logging history warnings
logging facility 21
logging host <interface> <IP of syslogd server>

/nebulus
July 1st, 2003, 08:30 PM
RoadClosed

Thanks Nebulus

I read those cisco links many many times. My configuration looks eactly like yours as well. Except my Facility is different. Might change it to 20 just for SAG.

Off to sans.org now.

Oh make that 20 not 21 (edit)

I have it now thank you all very much. (Bows to pix and syslog gods everywhere)
July 1st, 2003, 10:31 PM
nebulus200

If you don't mind, what corrected it?

/nebulus
July 1st, 2003, 11:31 PM
RoadClosed

LOL

I was trying to "avoid" that question and my answer. Basically I pulled my head from a rectal cranial inversion. I sumise that said PIX cannot support the command I was trying to give it, so I looked at Kiwi. Great tool BTW, and noticed that a log was being generated and building quite fast, since I started logging everything on the pix. I went back into the Kiwi console and, WTF, it doesn't DEFAULT to display anything. So I basically checked a box for Action = Display.

:confused:

In the process I learned a great deal about the Syslog process and I have started deploying other ways to get data to that syslog server.
July 1st, 2003, 11:34 PM
nebulus200

Heh heh, I will have to remember that about Kiwi. BTW, glad you brought up pix logging, you made me realize that something wasn't working right on my pix logging (had trap set to critical instead of warning and was missing all the denies).

/nebulus
July 1st, 2003, 11:46 PM
RoadClosed

Firewall logging

Yeah you would want to see the deny's. I have been playing with the levels off and on. I have left it at Severity level 3 for now. That is One above critical according to Cisco Docs. I also would like to know if the firewall generates an error and that level also generates a message when "the pix experiences and error." Maybe that can help prevent outages?

BTW, went to Barnes and Noble and picked up a copy of "Cisco Pix Firewalls" by Richard A. Deal. It's a decent book and is much more explanitory than Cisco canned documentation. It's not all inclusive but still a good buy. ISBN 0-07-222523-8
July 2nd, 2003, 02:20 PM
sgtrush

I have had a similar problem at a number of sites. I finally broke down and instead of setting syslog up at the cli I did it through the Pixs' PDM web interface. Not sure what is different about doing it that way but it works. Maybe if I have time I can pull the config from one of the sites I manage and determing what I was doing wrong before. I am using KIWI's syslog daemon at most of the sites I am referring to, so its not your syslog software.
Heres cisco's url for their syslog documentation on the PIX. http://www.cisco.com/warp/public/110/pixsyslog.pdf Hope this helps.

Doh! you already had the problem fixed.