PIX not logging IDS to syslog

Discussion in 'Cisco' started by Jon Doe, Dec 21, 2005.

  1. Jon Doe

    Jon Doe Guest


    I recently set up IDS on my PIX 525, and it appears to be doing what it's
    able to do... however, the only way I'm able to see any IDS logs is by doing
    a "show syslog". I have a syslog server setup using kiwi, and I'm able to
    pick up logs in there, but nothing for IDS. Is there some setting I might be
    missing thats causing it not to log IDS while it logs other things? Thanks
    in advance!
    Jon Doe, Dec 21, 2005
    1. Advertisements

  2. Jon Doe

    Wil Guest

    logging trap debug

    That should do the trick!

    my 3¢
    Wil, Dec 21, 2005
    1. Advertisements

  3. Jon Doe

    Jon Doe Guest

    And do the trick it did! Thanks very much!

    Right now though, it's trapping so much info, I'm wondering if I might need
    to shut it off soon. I assume logging debug isn't typically done on a
    continuous basis but more for troubleshooting?
    Jon Doe, Dec 21, 2005
  4. Jon Doe

    Wil Guest

    Didn't see the cross post before...

    Logging is good, m'kay :)

    I've used kiwi in the past and if I recall correctly you can set it up
    to capture the logs and zip them up somewhere safe at the end of the day.

    If you still think that it's too much info, take some of the messages out.
    "no logging message XXXXXXX"

    At the present I believe that I'm getting a bit more than 100megs per
    pix per day, get's quite cumbersome at times but we've got it to the
    point that it get's logged, gets compressed, gets backed up to tape and
    gets sent off site. I used to take out some of the messages because of
    the size of the logs but found myself in a position that I needed to do
    some forensics and didn't have the information that I needed. IMHO
    diskspace is much less expensive than not having your logs.

    my 3¢
    Wil, Dec 21, 2005
  5. Jon Doe

    Spack Guest

    Jon wrote on Wed, 21 Dec 2005 00:08:23 -0600:

    On my 5.3 PIX 515 all IDS messages are sent at Warning level. I have a
    filter in Kiwi dumping these to a separate file to make it easier to trawl
    through them. Have you created "alarm" actions as well as drop/reset actions
    for your IDS audits?

    Spack, Dec 21, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.