PIX 501 Logging to Syslog Server

From LinuxServerTech

Jump to: navigation, search

To get a PIX 501 logging to a syslog server, you need to have a server that will agree to accept the logs for the PIX. In this example, I will be describing a setup where a PIX 501 is logging to a Debian Etch server on the same subnet. All commands are assume from the command prompt of the Debian server and the PIX (enable and conf term)

First, you should set up the Syslog server. Log in as root and edit /etc/default/syslogd and modify the the line that says 'SYSLOGD' to add the -r option (turn on Remote logging). 

 SYSLOGD="-r"

Now, if we want to log to a separate file instead of the standard "/var/log/syslog" (/var/log/message for you RH people), we want to add the following line to /etc/syslog.conf. You can put it anywhere so long as you're not breaking another command; I put it up towards the top. 

local4.*                        /var/log/pix.log

That turns on logging to /var/log/pix.log, but it will also show up in /var/log/syslog, which I don't want, so I modify the line commands that log to those by adding: 

local4.none

to them. For example, 

*.*;auth,authpriv.none,local4.none              -/var/log/syslog

Note that the *.* or something.* is meant to catch everything, and after the colon we are getting rid of stuff. Thus, my syslog.conf file looks sorta' like this. 

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none,local4.none              -/var/log/syslog
#cron.*                         /var/log/cron.log   
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log 
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
uucp.*                          /var/log/uucp.log 
local4.*                        /var/log/pix.log
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
        local4.none
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\  
        mail,news.none,     
        local4.none             -/var/log/messages

*.emerg                         * 

daemon.*;mail.*;\
        news.crit;news.err;news.notice;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole

I've removed some comments and stuff not relevant.

Now, simply restart the syslog daemon and it should be ready to go. You should see /var/log/pix.log appear. Also, running netstat -an should show you something running on UDP port 514, which means syslog is now listening remotely (you can change this, and restrict the IP's it is coming in on if you like, but I'm not describing it here). One last thing before you log off the syslog server. Your PIX logs are now set up to grow forever and ever. They are out side the standard logrotate definitions, so you need to create the file /etc/logrotate.d/pix with the following contents: 

/var/log/pix.log {
        rotate 7
        daily
        compress
        missingok
        notifempty
}

This tells logrotate to rotate pix.log every day, keeping 7 in reserve (ie, removing anything over a week old). If you want to rotate weekly, change the keyword daily to weekly. If you want to keep more than seven, change that number.

Ok, now onto the PIX. Log in, enable, do a conf term, and issue the following commands: 

logging on
logging timestamp
logging trap informational
logging facility 20
logging host inside ip of syslog server

replacing ip of syslog server with the, duh, IP of the Syslog Server. Now, issue some bad command like ping 2.2.2.2 or something. You should see entries show up in /var/log/pix.log on your syslog server. If all is well, save the configuration with: 

write mem

You are done

Retrieved from "http://wiki.linuxservertech.com/index.php/PIX_501_Logging_to_Syslog_Server"