PIX syslog issue

Discussion in 'Cisco' started by captain Zod, Apr 28, 2005.

  1. captain Zod

    captain Zod Guest

    I don't see my posting about this which I submitted 2 days ago!!!
    Anyhow I am having issues with syslog on my pix 6.3. It does not send
    to my linux syslogd. I ran tcpdump and was not seeing anything.

    Pix config:
    logging on
    logging timestamp
    logging buffered warnings
    logging trap debugging
    logging host inside 10.60.2.129
    no logging message 111005

    syslog.conf:
    local6.debug /var/log/level6

    Any ideas?
    I also see the line below in my syslog.conf:
    local7.* /var/log/boot.log
    The comment says that this is for boot logging. Why is this? It should
    get a lot more info than just boot with that * .

    thx
     
    captain Zod, Apr 28, 2005
    #1
    1. Advertising

  2. In article <>,
    captain Zod <> wrote:
    :Anyhow I am having issues with syslog on my pix 6.3. It does not send
    :to my linux syslogd.

    Linux syslogd has to be specifically configured to allow syslog from
    remote devices. I do not know the appropriate command line options
    for this purpose.


    :I ran tcpdump and was not seeing anything.

    :pix config:
    :logging on
    :logging timestamp
    :logging buffered warnings
    :logging trap debugging
    :logging host inside 10.60.2.129
    :no logging message 111005

    That should generally work, provided that the remote system is willing
    to receive the packets (and is reachable.)


    :syslog.conf:
    :local6.debug /var/log/level6

    You have not put in a 'logging facility' statement into your configuration.
    The default is not loca6 but rather local4 . For local6, you would need

    logging facility 22


    :Any ideas?
    :I also see the line below in my syslog.conf:
    :local7.* /var/log/boot.log
    :The comment says that this is for boot logging. Why is this? It should
    :get a lot more info than just boot with that * .

    That's getting a bit off topic for the cisco newsgroup, but the answer
    is that it would get all messages directed to the facility local7 .
    The implication of the comment is that the only things that would
    -normally- send with facility local7 are the boot messages. Of course
    if you configure something else to send to local7 then that'd show
    up in the boot.log file as well.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Apr 28, 2005
    #2
    1. Advertising

  3. captain Zod

    captain Zod Guest

    So sorry. I did have the line: logging facility 22 in my pix config.

    :logging on
    :logging timestamp
    :logging buffered warnings
    :logging trap debugging
    :logging facility 22
    :logging host inside 10.60.2.129
    :no logging message 111005

    I also have the syslogd running with -r option to receive messages.
    Though tcpdump filtered for the ip of the pix, does not show anything
    coming from the pix. So I really think the problem is on the pix side.
     
    captain Zod, Apr 28, 2005
    #3
  4. In article <>,
    captain Zod <> wrote:
    :So sorry. I did have the line: logging facility 22 in my pix config.

    ::logging trap debugging
    ::logging facility 22
    ::logging host inside 10.60.2.129

    :I also have the syslogd running with -r option to receive messages.
    :Though tcpdump filtered for the ip of the pix, does not show anything
    :coming from the pix. So I really think the problem is on the pix side.

    Or it could be coming from a different IP address than you expect.
    Try filtering on udp 514 (syslog) .

    On the PIX side, you could set up an ACL matching syslog to the remote
    system, and set up a capture to see what is going out

    access-list caplog permit udp any host 10.60.2.129 eq 514
    capture logcap access-list caplog interface inside

    Then show capture logcap will show you the matching packets.
    Add the parameter 'detail' for more information. The captured packets
    can also be exported in pcap format for external analysis.


    I have not -observed- a PIX failing to syslog, provided that there
    is a proper route to the log host.
    --
    Are we *there* yet??
     
    Walter Roberson, Apr 28, 2005
    #4
  5. captain Zod

    captain Zod Guest

    This is interesting. I did as you said, and I don't get any matching
    output:
    sho access-list caplog
    access-list caplog; 1 elements
    access-list caplog line 1 permit udp any host 10.60.2.129 eq syslog
    (hitcnt=0)
    sho capture logcap
    0 packet captured
    0 packet shown

    Before I issue this commands I did a write mem which I believe should
    have generated syslog stuff. So I do think that the pix is not sending
    syslog!
     
    captain Zod, Apr 28, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lasani

    Syslog messages from PIX 515

    Lasani, Aug 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    4,356
    Pe5kyTac0
    Aug 15, 2004
  2. Craig H.
    Replies:
    1
    Views:
    5,044
    Scott K.
    Oct 17, 2004
  3. AM
    Replies:
    1
    Views:
    11,197
    Walter Roberson
    Dec 21, 2004
  4. Replies:
    7
    Views:
    849
  5. AM

    PIX syslog messages

    AM, Apr 6, 2005, in forum: Cisco
    Replies:
    16
    Views:
    8,627
Loading...

Share This Page