https://community.cisco.com/t5/network-security/pix-logging/m-p/313354#M552467 <HTML><HEAD></HEAD><BODY><P>I normally use 'log buff warn'</P><P>Nice and easy to 'clear log' and see up to date entries, nothing clogging your screen up when trying to configure.</P><P>Obviously if your pix is letting this straight through, you're not going to see it in the log, but if you're looking for attacks that your pix is currently protecting you from, it will be there.</P><P>Tighten up the pix where necessary and you can quickly see any genuine traffic you may have stopped inadvertantly.</P></BODY></HTML> Thu, 20 Jan 2005 00:47:02 GMT garethhinton 2005-01-20T00:47:02Z https://community.cisco.com/t5/network-security/pix-logging/m-p/313352#M552463 <P>If I suspect that my network is under attack, what level should I be logging, and what should I be looking for, to tell if someone is attempting to attack my network? Thanks.</P> Fri, 21 Feb 2020 07:52:58 GMT https://community.cisco.com/t5/network-security/pix-logging/m-p/313352#M552463 mtobkes 2020-02-21T07:52:58Z https://community.cisco.com/t5/network-security/pix-logging/m-p/313353#M552464 <HTML><HEAD></HEAD><BODY><P>Warning for logging should be fine.</P><P></P><P>Take a look for DROP packets from the same source IP. If a SYN Flooding is the problem.</P><P></P><P>Do you have Public services as http, smtp or others?</P><P>I suppose yes, then take a look if you have exessive amount of SYN packets on the protocol.</P><P></P><P>Easyest way to do that is putting a sniffer in place and do some statistical work. </P><P></P><P>Another way could be to put a NTOP host on the internet. <A class="jive-link-custom" href="http://www.ntop.org/ntop.html" target="_blank">http://www.ntop.org/ntop.html</A> to see real time traffic.</P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Thu, 20 Jan 2005 00:42:04 GMT https://community.cisco.com/t5/network-security/pix-logging/m-p/313353#M552464 Patrick Iseli 2005-01-20T00:42:04Z https://community.cisco.com/t5/network-security/pix-logging/m-p/313354#M552467 <HTML><HEAD></HEAD><BODY><P>I normally use 'log buff warn'</P><P>Nice and easy to 'clear log' and see up to date entries, nothing clogging your screen up when trying to configure.</P><P>Obviously if your pix is letting this straight through, you're not going to see it in the log, but if you're looking for attacks that your pix is currently protecting you from, it will be there.</P><P>Tighten up the pix where necessary and you can quickly see any genuine traffic you may have stopped inadvertantly.</P></BODY></HTML> Thu, 20 Jan 2005 00:47:02 GMT https://community.cisco.com/t5/network-security/pix-logging/m-p/313354#M552467 garethhinton 2005-01-20T00:47:02Z https://community.cisco.com/t5/network-security/pix-logging/m-p/313355#M552469 <HTML><HEAD></HEAD><BODY><P>I'm not a big big specialist as others, but the real good solution is to set it to Notifications. Why?</P><P>1. On each access-list apply logging policy. </P><P>2. Install Kiwi (any syslog server)</P><P>3. You will not be able to determine the attack that's going in a wright way. That's why you need to log all the event's in a case that you will need the evidence.</P><P>4. Check all your servers that STATIC command translates. In the Event logs you can find a lot of interesting staff.</P><P></P><P>And after one day that you capture syslog messages, sit on them for a day, and try to analyze.</P><P>I usually do so. </P><P>Example is simple:</P><P>Somebone usually come to my web-site from such a site <A class="jive-link-custom" href="http://www.anonymizer.com/" target="_blank">www.anonymizer.com/</A> What does it mean for any security specialist...right! He want's only look on a pictures on my site <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Thu, 20 Jan 2005 20:13:58 GMT https://community.cisco.com/t5/network-security/pix-logging/m-p/313355#M552469 Paul Greenberg 2005-01-20T20:13:58Z