Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
4
Replies

Common Syslog messages to omit

ccaron
Level 1
Level 1

‎06-04-2003 08:46 AM - edited ‎03-09-2019 03:32 AM

Hi,

I wanted to know what are some of the most common PIX syslog messages that folks omit from having logged (i.e. no logging message xxxxxx).

Is it common to get rid of 106011?

Let me know.

Thanks,

Chris

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎06-05-2003 10:47 PM

After looking at 1000's of customers configs, hardly any of them omit any syslogs. I guess the whole idea of logging is to capture as much as you can, it may come in handy later on. As long as it's not putting a huge load on your PIX or on your network, I would recommend logging everything, safer from a legal standpoint then in case it's ever needed.

0 Helpful

ccaron
Level 1
Level 1
In response to gfullage

‎06-06-2003 08:23 AM

That is a good point. I make a habit to look at the syslogs everyday.

If I don't omit things, the logs are well over 1MB in size....which can be ridiculous to look at everyday (i.e. over 1MB of text).

Do you, from your experience gather that sysadmins "suck it up" and just read through the logs anyways or do you find that many people don't look at them unless there is a problem, or that some other tool is used to look for suspicious things and then reports those events accordingly?

Let me know, I appreciate your time.

-Chris

0 Helpful

cody.rowland
Level 1
Level 1
In response to ccaron

‎06-09-2003 04:45 AM

In my opinion, this is one of those areas where you have to seriously consider whether or not the benefit of looking at the entire syslog is worth the amount time it's going to take you to do it well. In my own case, it simply wasn't worth it. We have two PIX525's terminating about 90 VPN tunnels as well as two 515's with another 20 tunnels. The 525's alone generate about 1100 syslog messages an hour so it's just not practical to view them all. Here's my recommendation, if your network is new or if you're new to the network it's a good idea to monitor the entire syslog. After a month or so you'll be familiar enough with the logs that you'll be able to spot anything out of the ordinary very easily. You'll also have a very good idea of which logs don't mean much and can filter those out accordingly.

My two cents.

Cody Rowland

Infrastructure Engineer

0 Helpful

ccaron
Level 1
Level 1
In response to cody.rowland

‎06-09-2003 08:11 AM

I appreciate you taking the time to answer.

The network isn't new...actually about 3 years old...and yes, I have already a while ago actually, blocked logging of certain messages. It's just a couple of my offices exist in Asia, and you could imagine the amount of port scanning that goes on over there...about 10 fold of what it is in the US.

It makes me feel better that someone else deals with the same issue.

Thanks,

Chris

0 Helpful
Customers Also Viewed These Support Documents