Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Syslog montioring and usage. (IMPORTANT CAUTION!!!!!)

From: Brian Ford <brford () cisco com>
Date: Mon, 19 Jul 2004 11:39:08 -0400
Paul and List;


PS - If you want to see everything the PIX can to the syslog server,
make sure 'logging console debugging' is set in the config.


WARNING.  Whatever you do please do not do this on a production PIX!!!!!!!
"logging console debugging" sets the syslog level for messages sent to the _console_ (i.e. the console port or computer attached to the PIX via a serial cable) to debug. That will generate lots of traffic to the serial port and not to the syslog device.
To set the syslog level for the syslog device use the command "logging trap ...".
Unless you are actively debugging an issue ON A DEVICE ATTACHED TO THE CONSOLE PORT or trying to learn more about PIX on a non-production (or production PIX running at less than 40% CPU utilization) I would not suggest that you use "logging console...". By default this should be disabled in production PIX environments. 

Liberty for All,

Brian


At 10:55 PM 7/15/2004 -0400, firewall-wizards-request () honor icsalabs com wrote:

Message: 8
Subject: RE: [fw-wiz] Syslog montioring and usage.
Date: Wed, 14 Jul 2004 09:00:23 -0400
From: "Melson, Paul" <PMelson () sequoianet com>
To: "Chad Thomsen" <chad.thomsen () bramespecialty com>,
        <firewall-wizards () honor icsalabs com>

Cisco publishes the definitions of all of the syslog messages that can
be generated by a PIX firewall:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63
syslog/index.htm

As far as the 'IDS' syslog messages that it generates, keep in mind that
the PIX is only capable of "atomic" checks, meaning that it only alerts
on the behavior of a single packet.  Aside from some older DoS attacks
and certain types of stealth port scans, the PIX is useless as an IDS.

PaulM

PS - If you want to see everything the PIX can to the syslog server,
make sure 'logging console debugging' is set in the config.  Of course,
on a busy firewall, this can lead to ~300MB/day in log files, so it may
only be useful for a short period of time or when used in conjunction
with automated log analysis software.



Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/
The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc.. 

This email address is transmitted from San Jose, California, U.S.A..


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: