07-22-2004 06:09 AM - edited 03-09-2019 08:09 AM
I have a pix 506 with release 6.3(3)135. I am attempting to log individual ACL's on my pix and I am having no luck doing this.
I have configured Logging on my pix.
logging on
logging timestamp
logging trap errors
logging facility 22
logging host inside 192.168.200.100
I have configured syslog on my FreeBSD workstation.
#/etc/rc.conf
syslogd_flags="-n -a 192.168.200.254"
#/etc/syslog.conf
local6.* /var/log/pix.log
#/etc/newsyslog.conf
/var/log/pix.log 600 30 * @T00 Z
Here is the ACL that I am attempting to log everything that hits it.
access-list inside_in permit ip 192.168.200.0 255.255.255.0 any log 7
But I am not receiving logs for that ACL when it is hit but if I set "logging trap 7" my syslog file starts filling up fast and I can verify that the syslog traffic is being sent by watching it with tcpdump.
What am I missing?
07-22-2004 05:49 PM
Error logging is at level 3. That means error and higher severity log levels go to syslog, but higher in severity means lower in numerical value. So when you had the initial pix log config to be errors, and you had the logging on the acl line to 7, since 7 > 3, the syslogs were not sent. What you may want to do is to keep the syslog level at error, and adjust the acl line to 3. 7 is the lowest severity, and you may impact pix performance if you set the logging trap to debug (which is 7) and keep the acl line at 7 (In fact you may wind up with duplicate messages because debug will by default log everything - at least it did when I used it in pix 6.2 code). So my recommendation is to log at the error level as part of normal operation - Cisco recommends the same.
Again higer severity means lower numerical value.
Let me know if this helps.
07-27-2004 02:49 AM
I have the same problem I want all normal logging to be at error but I want to see all traffic that is passed by a certain acl. I thought that that was the point of being able to log on an acl?
Can anyone clarify this?
Thanks,
Richard
08-03-2004 04:46 AM
Thank you for clearing this issue up for me. I am now logging everything the way I want to a MySql database.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide