Re: sec mon & PIX monitoring

infinitingr2 · ‎07-30-2004

Iam currently using Security Monitor 1.2.3 to monitor IDS 4235 events. I have added Cisco PIX 515 to the list fo devices to be monitored by Sec Mon. The only problem is that I am NOT getting any message from PIX in the events window.

1. The instruction did NOT state that I need to configure the PIX to send events to the Sec Mon. Do I need to do so? If so, exactly what do I need to do on the PIX so as to forward messages (events, alarms, alerts) to Sec Mon.

2. What ports must I open on the PIX so as to enable sending of messages. I suspect taht perhaps port 161 and 162? If so, please confirm.

3. While in Sec Mon, I checjed for "connections" which would give me the status of devices monitored voa Sec Mon. I only saw the IDS sensors. I suspect that perhaps PIX woudl not appear in the lsit because it is noit a RDEP device. Is that correct or shoudl I see PIX in the list.

Thanks

Ade

nkhawaja · ‎07-30-2004

Hi Ade,

You need to setup PIX to send syslog messages to the PIXMC. No ports needed to be opened. Just enable sysloging and thats it.

In the connections you will only see IDS as connected tls

Thanks

Nadeem

paddyxdoyle · ‎07-31-2004

Hi,

To set up logging from the PIX you need to specify the IP address of your sec mon server and which interface it can be reached through

e.g. logging host inside 10.0.0.1

Set your logging severity

e.g. logging trap debugging

This will send all debug messages to Sec Mon

Also remember to turn logging on!

The following link covers the logging command on the PIX

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1028090

The ports you mentioned (161 & 162) are for SNMP which is not required for syslogging, plus i belive the PIX doesn't filter on traffic that's sourced from itself.

I'm afraid i haven't used security monitor so i can't comment on your other question.

Rgds

Paddy