Re: Pix 515E - Acces-list logging ?

dclee · ‎11-21-2007

Currently running a PIX 515E ver 6.35.

I need to log on a specific permit line in one of my access-lists and have that forwarded to a syslog server. I currently only log denies and dont want to turn on any higher logging b/c of the performance hit. So I was hoping to find a way to only log on one specific rule in the outside_inbound access-list...

I know I can setup a capture command with one specific rule for the inbound traffic in question, but is there a way to get that captured data to a syslog server ?

Any help would be appreciated..

kagodfrey · ‎11-21-2007

Hi

You can add the keyword 'log' to the appropriate access-list line, which will generate a syslog message 106100 for every matching permit or deny, as explained in:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

HTH

Kev

sbaddipudi · ‎11-21-2007

If that doesn't work, you may need one more step to it. Change the logging level.

Satya

dclee · ‎11-21-2007

So i tried the logging option by itself and that doesnt work. Then I bumped up global logging to level 6 (informational) and that seemed to generate the message when the traffic matched the statement. However b/c I have bumped the logging to 6 I know have a ton more syslogs generated for all other traffic flowing thru the firewall which is what i was trying to avoid.

Is there a better way ??

Cheers

Dave

dclee · ‎11-21-2007

Well it looks like if I set the access-log log setting to 4 it will still generate the required message (matched permit) even if my logging trap is set to 4 as well. So that pretty much gives me what I want.

Thanks for the help

Dave