11-08-2005 08:12 AM - edited 02-21-2020 12:30 AM
Can anyone advise on a recommended level of logging for a PIX firewall?
I tried informational and debugging but in only a couple of hours I have a 700MB log file on my syslog server!
We need to be able to investigate incidents if and when they arise retrospectivly.
Thanks
11-08-2005 08:47 AM
I use 3 different solutions to log the PIX data and recommend (6) Information logging to get HTTP sites.
1. Use FireGen product for syslog analysis and purchased version of kiwisyslog to zip the files after a certain size or time.
www.eventid.net/firegen/firegenpix2.asp
2. EIQ Networks Network Security Analyzer(eiqnetworks.com) for Excellent log analysis, reporting and alerting. $900 for 515 + $500 for 501-506.
3. Get the Ciscoworks VMS product for PIX, IDS & Router management a logging. Good product and multifunctional in management, alerting and IDS.
Level Number Level Keyword Description
0 emergency
System unusable.
1 alert
Immediate action needed.
2 critical
Critical condition.
3 error
Error condition.
4 warning
Warning condition.
5 notification
Normal but significant condition.
6 informational
Informational message only.
7 debugging
Appears during debugging only.
11-08-2005 09:57 AM
I use Level (6) also, I have used the full version of kiwi and Firegen.
I also use the program Insideout that logs everything and does charts/graphs that are nice. you can look by user or Protocol.
11-08-2005 11:51 AM
The following is what I have. You can log everything, and then filter out what you don't want.
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 21
logging queue 4096
logging host dmz 10.1.1.205
no logging message 106015
no logging message 106023
no logging message 305006
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 305009
no logging message 710005
no logging message 400011
no logging message 400014
no logging message 400015
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
The no logging messages that I selected got rid of around 99% or more of the messages. I didn't want to get every url that comes to our website or that we go to.
It will be easy for you to filter out the unnecessary responses. By choosing what you want to filter, you will be able to get all of the important messages. There are several hundred logging messages, and the 18 I picked get rid of gigs worth of unnecessary logging.
Cheers,
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide