06-04-2003 08:46 AM - edited 03-09-2019 03:32 AM
Hi,
I wanted to know what are some of the most common PIX syslog messages that folks omit from having logged (i.e. no logging message xxxxxx).
Is it common to get rid of 106011?
Let me know.
Thanks,
Chris
06-05-2003 10:47 PM
After looking at 1000's of customers configs, hardly any of them omit any syslogs. I guess the whole idea of logging is to capture as much as you can, it may come in handy later on. As long as it's not putting a huge load on your PIX or on your network, I would recommend logging everything, safer from a legal standpoint then in case it's ever needed.
06-06-2003 08:23 AM
That is a good point. I make a habit to look at the syslogs everyday.
If I don't omit things, the logs are well over 1MB in size....which can be ridiculous to look at everyday (i.e. over 1MB of text).
Do you, from your experience gather that sysadmins "suck it up" and just read through the logs anyways or do you find that many people don't look at them unless there is a problem, or that some other tool is used to look for suspicious things and then reports those events accordingly?
Let me know, I appreciate your time.
-Chris
06-09-2003 04:45 AM
In my opinion, this is one of those areas where you have to seriously consider whether or not the benefit of looking at the entire syslog is worth the amount time it's going to take you to do it well. In my own case, it simply wasn't worth it. We have two PIX525's terminating about 90 VPN tunnels as well as two 515's with another 20 tunnels. The 525's alone generate about 1100 syslog messages an hour so it's just not practical to view them all. Here's my recommendation, if your network is new or if you're new to the network it's a good idea to monitor the entire syslog. After a month or so you'll be familiar enough with the logs that you'll be able to spot anything out of the ordinary very easily. You'll also have a very good idea of which logs don't mean much and can filter those out accordingly.
My two cents.
Cody Rowland
Infrastructure Engineer
06-09-2003 08:11 AM
I appreciate you taking the time to answer.
The network isn't new...actually about 3 years old...and yes, I have already a while ago actually, blocked logging of certain messages. It's just a couple of my offices exist in Asia, and you could imagine the amount of port scanning that goes on over there...about 10 fold of what it is in the US.
It makes me feel better that someone else deals with the same issue.
Thanks,
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide