04-10-2003 06:58 AM - edited 02-20-2020 10:40 PM
We have a pix 525 (v6.2.2). Syslog messages are directed to a syslog server using the following config:
logging on
logging timestamp
logging trap debugging
logging host inside 10.0.0.4
Show logging give the following output:
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level debugging, 26644891 messages logged
Logging to inside 10.0.0.4
History logging: disabled
Our problem is that we can't see any messages with regards to who did what....e.g. console login, executing 'config t' etc. We only get messages that show the various packets being passed through the pix. There are no users defined on the pix box, it is strictly console only (no telnet). Any chance you can help!
04-16-2003 07:27 AM
Check the following URL to get the meaning of all syslog messages.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm
Some sample messages with meanings
%PIX-5-111001: Begin configuration: IP_addr writing to device
Explanation This message is logged when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the failover standby unit, or the console terminal). The IP_addr indicates whether the login was made at the console port or via a Telnet connection.
Action None required.
%PIX-5-111003: IP_addr Erase configuration
Explanation This is a PIX Firewall management message. This message is logged when you erase the contents of Flash memory by entering the write erase command at the console. The IP_addr indicates whether the login was made at the console port or via a Telnet connection
04-16-2003 07:37 AM
It sounds like you might be looking for version control? If so , there are products that will let you do that, CiscoWorks being one of them. Every time a change is made on a router, it is recorded in the CW database, and you can go back several different versions of the config (ie - back to last month's config).
Other than those cryptic syslog messages, there is no real way to see exactly what commands were entered on the PIX...
Hope that helps....
04-16-2003 04:03 PM
If you want to see who did what on the PIX, then you need to add authentication at the least. See http://www.cisco.com/warp/public/110/authtopix.shtml for details. Note in 6.3 you can use the local user database, you don't have to use a TACACS/Radius server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide