Foundation TopicsHow Syslog WorksThe syslog message facility in the Cisco PIX Firewall is a useful means to view troubleshooting messages and to watch for network events such as attacks and denials of service. The Cisco PIX Firewall reports on events and activities using syslog messages, which report on the following:
It is important to become familiar with the logging process and logging command parameters on the PIX before you dive in and start configuring the PIX for logging. Syslog messages can be sent to several different output destinations on or off the PIX unit:
After you decide where to send the syslog messages, you have to decide what type of messages you want to see at the output destination. All syslog messages have a severity level; however, not all syslog messages are required to have a facility. Logging FacilitiesWhen syslog messages are sent to a server, it is important to indicate through which pipe the PIX will send the messages. The single syslog service, syslogd, can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe through which the information arrives. Syslogd is a daemon/service that runs on UNIX machines. In this analogy, the logging facilities are the pipes by which syslogd decides where to send information it receivesthat is, to which file to write. Eight logging facilities (16 through 23) are commonly used for syslog on the PIX. On the syslog server, the facility numbers have a corresponding identificationlocal0 to local7. The following are the facility numbers and their corresponding syslog identification:
The default facility is local4 (20). To change the default logging facility on the PIX you use the logging facility facility command. The following command shows the logging facility changed to 21: Pix(config)# logging facility 21 Logging LevelsDifferent severity levels are attached to incoming messages. You can think of these levels as indicating the type of message. The PIX can be configured to send messages at different levels. Table 8-2 lists these levels from highest to lowest importance.
Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the syslog message. The default severity level is 3 (error). During configuration, you can specify the severity level as either a number or a keyword, as described in Table 8-2. The level you specify causes the Cisco PIX Firewall to send the messages of that level and below to the output location. For example, if you specify severity level 3 (error), the PIX sends severity level 0 (emergency), 1 (alert), 2 (critical), and 3 (error) messages to the output location. Changing Syslog Message LevelsPIX Firewall Version 6.3 gives you the option to modify the level at which a specific syslog message is issued and to disable specific syslog messages. Previous versions of PIX Firewall let you specify only the message level or disable all messages to a specific syslog server. This new feature provides you with more flexibility because you can specify which message you are logging and at what level. To change the logging level for all syslog servers, enter the following command syntax: logging message syslog_id [ level levelid ] To change the level of a specific syslog message, enter the following command syntax: logging message syslog_id level levelid The variables syslogid and levelid represent the numeric identifier and severity level assigned to the syslog message, respectively, as shown in Table 8-2. Example 8-1 shows how you can view the level of a syslog message and display its current and default levels: Example 8-1. Changing the Level of a Syslog Messagepixfirewall(config)#n syslog 403503: default-level errors (enabled) pixfirewall(config)#logging message 403503 level 6 pixfirewall(config)#show logging message 403503 syslog 403503: default-level errors, current-level informational (enabled) To disable a particular syslog message, enter the following command: no logging message messageid How Log Messages Are OrganizedSyslog messages are listed numerically by message code. Each message is followed by a brief explanation and a recommended action. If several messages share the same explanation and recommended action, the messages are presented together, followed by the common explanation and recommended action. The explanation of each message indicates what kind of event generated the message. Possible events include the following:
How to Read System Log MessagesSystem log messages received at a syslog server begin with a percent sign (%) and are structured as follows: %PIX - level-message-number : message-text
You can find more information on syslog messages at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_book09186a00801582a9l Configuring Syslog on the Cisco PIX FirewallThe logging command is used to configure logging on the PIX Firewall. Logging is disabled by default. Table 8-3 describes the parameters of the logging command.
Configuring the PIX Device Manager to View LoggingThe PDM Log panel, shown in Figure 8-1, allows you to view syslog messages that are captured in the PDM Log buffer in the PIX Firewall memory. You may select the level of syslog messages you want to view. When you view the PDM Log, all the buffered syslog messages at and below the logging level you choose are displayed. Figure 8-1. PDM Log Viewer ScreenThe PDM logging panel has the following fields:
Configuring Syslog Messages at the ConsoleConfiguring logging on the console interface is useful when you are troubleshooting or observing traffic patterns directly from the PIX Firewall. This gives you real-time information about what is happening on the PIX Firewall. To configure logging at the PIX console interface, use the logging console command as follows. After logging into configuration mode, enter the following: Pixfw(config) #logging on Pixfw(config) #logging console 5 The 5 indicates the logging level. In this case, it is logging notification. From the console you can see the logs in real time. Sending Syslog Messages to a Telnet SessionRemotely troubleshooting or viewing real-time PIX traffic patterns can be done by configuring the PIX to send logging information to a Telnet session. The logging monitor command configures the PIX to send syslog messages to Telnet sessions. For example, after logging into configuration mode, enter the following: Pixfirewall (config)#logging monitor 6 Pixfirewall(config)#terminal monitor In this example, syslog messages 0 to 6, or emergency to informational, are sent to a Telnet session. To disable logging to Telnet, you use the no logging monitor command. The terminal monitor displays messages directly to the Telnet session. You can disable the direct display of messages by entering the terminal no monitor command. A Telnet session sometimes is lost in busy networks when the logging monitor command is used. Configuring the Cisco PIX Firewall to Send Syslog Messages to a Log ServerConfiguring the PIX to send logging information to a server helps you collect and maintain data that can later be used for forensic and data traffic analysis. PIX syslog messages are usually sent to a syslog server or servers. PIX uses UDP port 514 by default to send syslog messages to a syslog server. The syntax for configuring the PIX Firewall to send syslog messages to a syslog server is as follows: Pixfirewall(config)#Logging host [ interface ] ip_address [ tcp [/port] | udp [/port]] [format emblem] The variables [interface] and ip-address are replaced with the name of the interface on which the syslog resides and the Internet Protocol (IP) address of the syslog server, respectively. PIX Firewall Version 6.3 introduces support for EMBLEM format. EMBLEM syslog format is designed to be consistent with the Cisco IOS® Software format and is more compatible with CiscoWorks management applications such as Resource Manager Essentials (RME) syslog analyzer. Use the option format emblem to send messages to the specified server in EMBLEM format. Note This option is available only for UDP syslog messages, used by the RME syslog analyzer. The following steps show you how to configure the PIX to send syslog messages: Centrally managing several PIX Firewalls can be challenging if you cannot identify the origin of a particular message that is sent to the central log server. PIX Firewall Version 6.2(3) and later support defining a unique device ID for log messages sent to a syslog server. If several PIX Firewalls are configured to send their syslog messages to a single syslog server, a unique identification can be configured so the message source can be identified. To enable this option, use the following command:
logging device-id { hostname | ipaddress if_name | string text }
Table 8-4 gives a description of the parameters of the logging device-id command.
When this feature is enabled, the message will include the specified device ID (either the hostname or IP address of the specified interfaceeven if the message comes from another interfaceor a string) in messages sent to a syslog server. The PIX Firewall will insert the specified device ID into all non-EMBLEM-format syslog messages. Note The device ID does not appear in EMBLEM-formatted messages, Simple Network Management Protocol (SNMP) traps, or on the firewall console, management session, or buffer. This command does not affect the syslog message text in EMBLEM format or its display on the PIX Firewall console or in the log file. To disable this feature, use the following command: no logging device-id Configuring SNMP Traps and SNMP RequestsSNMP requests can be used to query the PIX on its system status information. If you want to send only the cold start, link up, and link down generic traps, no further configuration is required. SNMP traps send information about a particular event only when the configured threshold is reached. To configure the PIX to receive SNMP requests from a management station, you must do the following:
To configure SNMP traps on the PIX, you must do the following:
Configuring a Syslogd ServerBecause syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the non-UNIX syslog server, refer to the vendor's documentation. Note Configuring the syslog server is not covered on the PIX CSPFA 642-521 exam. To configure syslog on UNIX, follow these steps:
For example, if /etc/syslog.conf is set for local7.warn /var/log/local7.warn warning, error, critical, alert, and emergency messages coming in on the local7 logging facility are logged in the local7.warn file. Notification, informational, and debug messages coming in on the local7 facility are not logged anywhere. If /etc/syslog.conf is set for *.debug /var/log/all.debug all message levels from all logging facilities go to this file. PIX Firewall Syslog ServerPFSS lets you view PIX Firewall event information from a Windows NT system. It includes special features not found on other syslog servers:
|