Date: Thu, 14 Feb 2002 17:12:56 -0500 (EST) From: Joe Clarke <marcus@marcuscom.com> To: Joseph Garcia <bear@unix.homeip.net> Cc: questions@FreeBSD.ORG Subject: Re: PIX 515 (v4.4) Logging to a Syslog Server on FreeBSD (fwd) Message-ID: <20020214171158.J23345-100000@shumai.marcuscom.com> In-Reply-To: <20020214101508.U35855-100000@we-24-126-232-105.we.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Feb 2002, Joseph Garcia wrote: > > Hello all! > > I've been trying to accomplish two things here. First of all, is I'm > trying to learn the syntax and concepts of configuring a PIX Firewall and > second, I'm trying to get it to log to a syslog server on a FreeBSD box. > > This is a mostly educational exercise which I'd like to apply to the > production firewall. The production firewall is currently being maintained > by outside sources. I have this extra PIX here that I'm testing the > configration on. > > I've successfully configured the FreeBSD box to accept syslog messages > from HP JetDirect print serves so I'm kinda confused as to why it's not > accepting messages from the PIX. It might be that I'm not configuring the > PIX correctly and I'm seeking some assistance. > > At this time I'm using "Cisco Secure PIX Firewalls" as my guide in this > adventure. This so far has been the first book that I've found on > configuring PIX Firewalls. I've also printed out a bunch of documentation > from Cisco concerning the PIX 515 which runs v4.4 of the PIX OS (this > isn't IOS is it?). Most of it is some basic stuff and a command refrence. > > Well, I'd like to log time stamped messages to a syslog server. I'm not > sure yet what level of information I should be logging or want to be > logging but I'm thinking that debbuing information would be overkill. > Although, I'm curious to see what kind of information level 4 would give > me. > > So here's what I have in the configuration pertaining to logging. > > logging on > logging timestamp > no logging console > logging monitor emergencies > no logging buffered > logging trap warnings > logging facility 20 > logging queue 512 > logging host inside 192.168.0.42 > > when I do a show logging, I get this: > > Syslog logging: enabled > Timestamp logging: enabled > Console logging: disabled > Monitor logging: level emergencies, 0 messages logged > Buffer logging: disabled > Trap logging: level warnings, facility 20, 4126 messages logged > Logging to inside 192.168.0.42 > > To see if anything is actually going this machine I check tcpdump: > > # tcpdump host pix1 and udp > tcpdump: listening on tl0 > 17:31:30.588311 pix1.ircla.test.com.syslog > > bsd1.ircla.test.com.syslog: udp 119 > > Okay, so that tells me that that there's data going to the server. Now > let's check out my syslog.conf for it's contents. Mind you, my /etc/hosts > file has an entry for the PIX Firewall. Here's the lines from my > syslog.conf file. > > # Log from Pix Firewall > +pix1 > *.* /var/log/pix No, the PIX is using facility local4 to send messages. Your syslog.conf should look like: local4.debug /var/log/pix Joe > > I would assume this would log anything and everything no matter what > facility or whatever to the file /var/log/pix, but I could be wrong. I > configured that according to the syslog.conf man page. > > Yes, I have created /var/log/pix file. > -rw-r--r-- 1 root wheel 0 Feb 12 18:14 /var/log/pix > > But the problem is that /var/log/pix is empty. And I'm not sure why. This > is where I'm stuck. Any ideas where I might have gone wrong. Tcpdump is > telling me that there is data going to the BSD box, but for some reason > it's not being logged. Oh, by the way syslogd is running as follows > > root 1538 0.0 0.6 964 704 ?? Ss 6:21PM 0:01.72 > /usr/sbin/syslogd > > Under FreeBSD if syslogd runs with the -s option it ignores syslog > messages from a different host. I have disabled the -s option. > > Okay, so I guess that's it. Not sure what other information I have missed. > I'm still trying to understand how all these logging commands are to be > glued together to make things work properly. Well, thanks in advance for > all your help! > > Joseph Garcia > > PS I just noticed that the PIX syslog messages are showing up in > /var/log/messages but not in /var/log/pix. I'm confused as to why. Here's > a sample of the messages. > > Feb 14 10:15:46 pix1.ircla.test.com %PIX-2-106007: Deny inbound UDP > from 198.6.1.2/53 to 192.168.0.158/1352 due to DNS Response > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020214171158.J23345-100000>