Re: Syslog set up

[Brian Ford <brford () cisco com>]

Paul,

You forgot the "logging on" command.  That is a very common PIX Syslog 
pilot error.

BTW, this is all on one pretty GUI screen within PIX Device Manager (PDM).

By default most Syslog servers listen on UDP port 514 (the default which 
you mentioned).  You specified port 1028 which would require a change on 
the Syslog server.

As for log level it really depends on what tools you have available and 
your own time.  Make sure that your Syslog server can keep up with the 
message rate and that you have the staff time to regularly look at the 
messages.

Liberty for All,

Brian

At 12:00 PM 7/25/2003 -0400, firewall-wizards-request () honor icsalabs com wrote:
> Message: 2
> Subject: RE: [fw-wiz] Syslog set up
> Date: Thu, 24 Jul 2003 08:45:00 -0400
> From: "Melson, Paul" <PMelson () sequoianet com>
> To: "\"Doug Garrison\" <doug.garrison () tagtmi com>" 
> <IMCEANOTES-+22Doug+20Garrison+22+20+3Cdoug+2Egarrison+40tagtmi+2Ecom+3E () sequoianet com>,
>         <firewall-wizards () honor icsalabs com>
>
> I think a gung-ho approach is best in this situation; "Log 'em all, let =
> the analyzer sort 'em out."  :-)
>
> Anyway, to get the PIX logging, it's just:
>
> !-- facility can be anything so long as its unique to your syslog server
> logging facility 20
> !-- level 7 =3D=3D debugging =3D=3D most verbose
> logging trap 7
> !-- pick a victim, if no protocol/port is specified, UDP/514 is used
> logging host inside 111.222.333.444 udp/1028
> !-- Also, using TCP syslog can cause the PIX to freeze if it can't
> !-- communicate with the syslog server - once the log buffer is full
> !-- it stops passing traffic.  Use UDP if at all possible.
>
> PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards