https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153201#M607171 <HTML><HEAD></HEAD><BODY><P>Check the following URL to get the meaning of all syslog messages.</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm</A></P><P></P><P>Some sample messages with meanings</P><P></P><P>%PIX-5-111001: Begin configuration: IP_addr writing to device </P><P></P><P>Explanation This message is logged when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_addr indicates whether the login was made at the console port or via a Telnet connection. </P><P></P><P>Action None required. </P><P></P><P>%PIX-5-111003: IP_addr Erase configuration </P><P></P><P>Explanation This is a PIX Firewall management message. This message is logged when you erase the contents of Flash memory by entering the write erase command at the console. The IP_addr indicates whether the login was made at the console port or via a Telnet connection</P><P></P></BODY></HTML> Wed, 16 Apr 2003 14:27:29 GMT hadbou 2003-04-16T14:27:29Z https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153200#M607168 <P>We have a pix 525 (v6.2.2). Syslog messages are directed to a syslog server using the following config:</P><P></P><P>logging on</P><P>logging timestamp</P><P>logging trap debugging</P><P>logging host inside 10.0.0.4</P><P></P><P>Show logging give the following output:</P><P></P><P>Syslog logging: enabled</P><P> Facility: 20</P><P> Timestamp logging: enabled</P><P> Standby logging: disabled</P><P> Console logging: disabled</P><P> Monitor logging: disabled</P><P> Buffer logging: disabled</P><P> Trap logging: level debugging, 26644891 messages logged</P><P> Logging to inside 10.0.0.4</P><P> History logging: disabled</P><P></P><P>Our problem is that we can't see any messages with regards to who did what....e.g. console login, executing 'config t' etc. We only get messages that show the various packets being passed through the pix. There are no users defined on the pix box, it is strictly console only (no telnet). Any chance you can help!</P> Fri, 21 Feb 2020 06:40:51 GMT https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153200#M607168 zabbas 2020-02-21T06:40:51Z https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153201#M607171 <HTML><HEAD></HEAD><BODY><P>Check the following URL to get the meaning of all syslog messages.</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm</A></P><P></P><P>Some sample messages with meanings</P><P></P><P>%PIX-5-111001: Begin configuration: IP_addr writing to device </P><P></P><P>Explanation This message is logged when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_addr indicates whether the login was made at the console port or via a Telnet connection. </P><P></P><P>Action None required. </P><P></P><P>%PIX-5-111003: IP_addr Erase configuration </P><P></P><P>Explanation This is a PIX Firewall management message. This message is logged when you erase the contents of Flash memory by entering the write erase command at the console. The IP_addr indicates whether the login was made at the console port or via a Telnet connection</P><P></P></BODY></HTML> Wed, 16 Apr 2003 14:27:29 GMT https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153201#M607171 hadbou 2003-04-16T14:27:29Z https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153202#M607172 <HTML><HEAD></HEAD><BODY><P>It sounds like you might be looking for version control? If so , there are products that will let you do that, CiscoWorks being one of them. Every time a change is made on a router, it is recorded in the CW database, and you can go back several different versions of the config (ie - back to last month's config).</P><P></P><P>Other than those cryptic syslog messages, there is no real way to see exactly what commands were entered on the PIX...</P><P></P><P>Hope that helps....</P></BODY></HTML> Wed, 16 Apr 2003 14:37:46 GMT https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153202#M607172 robhorniachek 2003-04-16T14:37:46Z https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153203#M607173 <HTML><HEAD></HEAD><BODY><P>If you want to see who did what on the PIX, then you need to add authentication at the least. See <A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/authtopix.shtml" target="_blank">http://www.cisco.com/warp/public/110/authtopix.shtml</A> for details. Note in 6.3 you can use the local user database, you don't have to use a TACACS/Radius server.</P></BODY></HTML> Wed, 16 Apr 2003 23:03:08 GMT https://community.cisco.com/t5/network-security/can-t-see-login-or-config-messages-in-pix-syslog/m-p/153203#M607173 gfullage 2003-04-16T23:03:08Z