Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
3
Replies

Logging help

mpoul
Level 1
Level 1

‎07-22-2004 06:09 AM - edited ‎03-09-2019 08:09 AM

I have a pix 506 with release 6.3(3)135. I am attempting to log individual ACL's on my pix and I am having no luck doing this.

I have configured Logging on my pix.

logging on

logging timestamp

logging trap errors

logging facility 22

logging host inside 192.168.200.100

I have configured syslog on my FreeBSD workstation.

#/etc/rc.conf

syslogd_flags="-n -a 192.168.200.254"

#/etc/syslog.conf

local6.* /var/log/pix.log

#/etc/newsyslog.conf

/var/log/pix.log 600 30 * @T00 Z

Here is the ACL that I am attempting to log everything that hits it.

access-list inside_in permit ip 192.168.200.0 255.255.255.0 any log 7

But I am not receiving logs for that ACL when it is hit but if I set "logging trap 7" my syslog file starts filling up fast and I can verify that the syslog traffic is being sent by watching it with tcpdump.

What am I missing?

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎07-22-2004 05:49 PM

Error logging is at level 3. That means error and higher severity log levels go to syslog, but higher in severity means lower in numerical value. So when you had the initial pix log config to be errors, and you had the logging on the acl line to 7, since 7 > 3, the syslogs were not sent. What you may want to do is to keep the syslog level at error, and adjust the acl line to 3. 7 is the lowest severity, and you may impact pix performance if you set the logging trap to debug (which is 7) and keep the acl line at 7 (In fact you may wind up with duplicate messages because debug will by default log everything - at least it did when I used it in pix 6.2 code). So my recommendation is to log at the error level as part of normal operation - Cisco recommends the same.

Again higer severity means lower numerical value.

Let me know if this helps.

0 Helpful

richardmcmahon
Level 1
Level 1
In response to ehirsel

‎07-27-2004 02:49 AM

I have the same problem I want all normal logging to be at error but I want to see all traffic that is passed by a certain acl. I thought that that was the point of being able to log on an acl?

Can anyone clarify this?

Thanks,

Richard

0 Helpful

mpoul
Level 1
Level 1
In response to ehirsel

‎08-03-2004 04:46 AM

Thank you for clearing this issue up for me. I am now logging everything the way I want to a MySql database.

0 Helpful
Customers Also Viewed These Support Documents