Firewall Wizards mailing list archives
RE: Syslog montioring and usage. (IMPORTANT CAUTION!!!!!)
From: Brian Ford <brford () cisco com>
Date: Mon, 19 Jul 2004 11:39:08 -0400
Paul and List;
PS - If you want to see everything the PIX can to the syslog server, make sure 'logging console debugging' is set in the config.
WARNING. Whatever you do please do not do this on a production PIX!!!!!!!"logging console debugging" sets the syslog level for messages sent to the _console_ (i.e. the console port or computer attached to the PIX via a serial cable) to debug. That will generate lots of traffic to the serial port and not to the syslog device.
To set the syslog level for the syslog device use the command "logging trap ...".
Unless you are actively debugging an issue ON A DEVICE ATTACHED TO THE CONSOLE PORT or trying to learn more about PIX on a non-production (or production PIX running at less than 40% CPU utilization) I would not suggest that you use "logging console...". By default this should be disabled in production PIX environments.
Liberty for All, Brian At 10:55 PM 7/15/2004 -0400, firewall-wizards-request () honor icsalabs com wrote:
Message: 8 Subject: RE: [fw-wiz] Syslog montioring and usage. Date: Wed, 14 Jul 2004 09:00:23 -0400 From: "Melson, Paul" <PMelson () sequoianet com> To: "Chad Thomsen" <chad.thomsen () bramespecialty com>, <firewall-wizards () honor icsalabs com> Cisco publishes the definitions of all of the syslog messages that can be generated by a PIX firewall: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63 syslog/index.htm As far as the 'IDS' syslog messages that it generates, keep in mind that the PIX is only capable of "atomic" checks, meaning that it only alerts on the behavior of a single packet. Aside from some older DoS attacks and certain types of stealth port scans, the PIX is useless as an IDS. PaulM PS - If you want to see everything the PIX can to the syslog server, make sure 'logging console debugging' is set in the config. Of course, on a busy firewall, this can lead to ~300MB/day in log files, so it may only be useful for a short period of time or when used in conjunction with automated log analysis software.
Brian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc..
This email address is transmitted from San Jose, California, U.S.A.. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Syslog montioring and usage. (IMPORTANT CAUTION!!!!!) Brian Ford (Jul 19)