IT Certification CCIE,CCNP,CCIP,CCNA,CCSP,Cisco Network Optimization and Security Tips
Changing Syslog Message Levels
Changing Syslog Message Levels
PIX Firewall version 6.3 gives you the option to modify the level at which a specific syslog
message is issued and to disable specific syslog messages. This feature provides you with more
flexibility because you can specify which message you are logging and at what level. To
change the logging level for all syslog servers, enter the following command syntax:
logging message syslog_id [level levelid]
To change the level of a specific syslog message, enter the following command syntax:
logging message syslog_id level levelid
The variables syslog_id and levelid represent the numeric identifier and severity level assigned
to the syslog message, respectively, as shown in Table 10-2.
PIX Firewall version 6.3 gives you the option to modify the level at which a specific syslog
message is issued and to disable specific syslog messages. This feature provides you with more
flexibility because you can specify which message you are logging and at what level. To
change the logging level for all syslog servers, enter the following command syntax:
logging message syslog_id [level levelid]
To change the level of a specific syslog message, enter the following command syntax:
logging message syslog_id level levelid
The variables syslog_id and levelid represent the numeric identifier and severity level assigned
to the syslog message, respectively, as shown in Table 10-2.
Logging Levels
Logging Levels
Different severity levels are attached to incoming messages. You can think of these levels as
indicating the type of message. A Security Appliance can be configured to send messages at
different levels. Table 10-2 lists these levels from highest to lowest importance.
How Syslog Works 253
Many of the logging commands require that you specify a severity level threshold to indicate
which syslog messages can be sent to the output locations. The lower the level number, the
more severe the syslog message. The default severity level is 3 (error). During configuration,
you can specify the severity level as either a number or a keyword, as described in Table 10-2.
The level you specify causes the Cisco Security Appliance Firewall to send the messages of
that level and below to the output location. For example, if you specify severity level 3
(error), a Security Appliance, such as the PIX, sends severity level 0 (emergency), 1 (alert), 2
(critical), and 3 (error) messages to the output location.
Changing Syslog Message Levels
PIX Firewall version 6.3 gives you the option to modify the level at which a specific syslog
message is issued and to disable specific syslog messages. This feature provides you with more
flexibility because you can specify which message you are logging and at what level. To
change the logging level for all syslog servers, enter the following command syntax:
logging message syslog_id [level levelid]
To change the level of a specific syslog message, enter the following command syntax:
logging message syslog_id level levelid
The variables syslog_id and levelid represent the numeric identifier and severity level assigned
to the syslog message, respectively, as shown in Table 10-2.
Table 10-2 Logging Severity Levels
Level/Keyword Numeric Code System Condition
Emergency 0 System unusable message
Alert 1 Take immediate action
Critical 2 Critical condition
Error 3 Error message
Warning 4 Warning message
Notification 5 Normal but significant condition
Informational 6 Information message
Debug 7 Debug message, log FTP commands, and WWW URLs
Different severity levels are attached to incoming messages. You can think of these levels as
indicating the type of message. A Security Appliance can be configured to send messages at
different levels. Table 10-2 lists these levels from highest to lowest importance.
How Syslog Works 253
Many of the logging commands require that you specify a severity level threshold to indicate
which syslog messages can be sent to the output locations. The lower the level number, the
more severe the syslog message. The default severity level is 3 (error). During configuration,
you can specify the severity level as either a number or a keyword, as described in Table 10-2.
The level you specify causes the Cisco Security Appliance Firewall to send the messages of
that level and below to the output location. For example, if you specify severity level 3
(error), a Security Appliance, such as the PIX, sends severity level 0 (emergency), 1 (alert), 2
(critical), and 3 (error) messages to the output location.
Changing Syslog Message Levels
PIX Firewall version 6.3 gives you the option to modify the level at which a specific syslog
message is issued and to disable specific syslog messages. This feature provides you with more
flexibility because you can specify which message you are logging and at what level. To
change the logging level for all syslog servers, enter the following command syntax:
logging message syslog_id [level levelid]
To change the level of a specific syslog message, enter the following command syntax:
logging message syslog_id level levelid
The variables syslog_id and levelid represent the numeric identifier and severity level assigned
to the syslog message, respectively, as shown in Table 10-2.
Table 10-2 Logging Severity Levels
Level/Keyword Numeric Code System Condition
Emergency 0 System unusable message
Alert 1 Take immediate action
Critical 2 Critical condition
Error 3 Error message
Warning 4 Warning message
Notification 5 Normal but significant condition
Informational 6 Information message
Debug 7 Debug message, log FTP commands, and WWW URLs
Logging Facilities
Logging Facilities
When syslog messages are sent to a server, it is important to indicate through which pipe the
Security Appliance will send the messages. The single syslog service, syslogd, can be thought
of as having multiple pipes. It uses the pipes to decide where to send incoming information
based on the pipe through which the information arrives. Syslogd is a daemon/service that
runs on UNIX machines. In this analogy, the logging facilities are the pipes by which syslogd
decides where to send information it receives—that is, to which file to write.
Eight logging facilities (16 through 23) are commonly used for syslog on the Cisco Security
Appliance. On the syslog server, the facility numbers have a corresponding identification—
local0 to local7. The following are the facility numbers and their corresponding syslog
identification:
■ local0 (16)
■ local1 (17)
■ local2 (18)
■ local3 (19)
■ local4 (20)
■ local5 (21)
■ local6 (22)
■ local7 (23)
The default facility is local4 (20). To change the default logging facility on the Security
Appliance, you use the logging facility facility command. The following command shows the
logging facility changed to 21:
Pix(config)# logging facility 21
When syslog messages are sent to a server, it is important to indicate through which pipe the
Security Appliance will send the messages. The single syslog service, syslogd, can be thought
of as having multiple pipes. It uses the pipes to decide where to send incoming information
based on the pipe through which the information arrives. Syslogd is a daemon/service that
runs on UNIX machines. In this analogy, the logging facilities are the pipes by which syslogd
decides where to send information it receives—that is, to which file to write.
Eight logging facilities (16 through 23) are commonly used for syslog on the Cisco Security
Appliance. On the syslog server, the facility numbers have a corresponding identification—
local0 to local7. The following are the facility numbers and their corresponding syslog
identification:
■ local0 (16)
■ local1 (17)
■ local2 (18)
■ local3 (19)
■ local4 (20)
■ local5 (21)
■ local6 (22)
■ local7 (23)
The default facility is local4 (20). To change the default logging facility on the Security
Appliance, you use the logging facility facility command. The following command shows the
logging facility changed to 21:
Pix(config)# logging facility 21
How Syslog Works
How Syslog Works
The syslog message facility in a Cisco Security Appliance is a useful means to view
troubleshooting messages and to watch for network events such as attacks and denials of
service. The Cisco Security Appliance reports on events and activities using syslog messages,
which report on the following:
■ System status—When the Cisco Security Appliance reboots or a connection by Telnet or
the console is made or disconnected
■ Accounting—The number of bytes transferred per connection
■ Security—Dropped User Datagram Protocol (UDP) packets and denied Transmission
Control Protocol (TCP) connections
■ Resources—Notification of connection and translation slot depletion
It is important to become familiar with the logging process and logging command parameters
on a Security Appliance before you dive in and start configuring the Cisco Security Appliance
for logging. Syslog messages can be sent to several different output destinations on or off the
Security Appliance unit:
■ ASDM logging—Logging messages can be sent to the Adaptive Security Device Manager
(ASDM).
■ Console—Syslog messages can be configured to be sent to the console interface, where
the security administrator (you) can view the messages in real time as they happen when
you are connected to the console interface.
■ Internal memory buffer—Syslog messages can be sent to the buffer.
■ Telnet console—Syslog messages also can be configured to be sent to Telnet sessions.
This configuration helps you remotely administer and troubleshoot Security Appliance
units without being physically present at the location of the firewall.
■ Syslog servers—This type of configuration is particularly useful for storing syslog
messages for analysis on performance, trends, and packet activities on the Security
Appliance unit. Syslog messages are sent to UNIX servers/workstations running a syslog
daemon or to Windows servers running PIX Firewall Syslog Server (PFSS).
■ SNMP management station—Syslog traps can be configured to be sent to an SNMP
management station.
The syslog message facility in a Cisco Security Appliance is a useful means to view
troubleshooting messages and to watch for network events such as attacks and denials of
service. The Cisco Security Appliance reports on events and activities using syslog messages,
which report on the following:
■ System status—When the Cisco Security Appliance reboots or a connection by Telnet or
the console is made or disconnected
■ Accounting—The number of bytes transferred per connection
■ Security—Dropped User Datagram Protocol (UDP) packets and denied Transmission
Control Protocol (TCP) connections
■ Resources—Notification of connection and translation slot depletion
It is important to become familiar with the logging process and logging command parameters
on a Security Appliance before you dive in and start configuring the Cisco Security Appliance
for logging. Syslog messages can be sent to several different output destinations on or off the
Security Appliance unit:
■ ASDM logging—Logging messages can be sent to the Adaptive Security Device Manager
(ASDM).
■ Console—Syslog messages can be configured to be sent to the console interface, where
the security administrator (you) can view the messages in real time as they happen when
you are connected to the console interface.
■ Internal memory buffer—Syslog messages can be sent to the buffer.
■ Telnet console—Syslog messages also can be configured to be sent to Telnet sessions.
This configuration helps you remotely administer and troubleshoot Security Appliance
units without being physically present at the location of the firewall.
■ Syslog servers—This type of configuration is particularly useful for storing syslog
messages for analysis on performance, trends, and packet activities on the Security
Appliance unit. Syslog messages are sent to UNIX servers/workstations running a syslog
daemon or to Windows servers running PIX Firewall Syslog Server (PFSS).
■ SNMP management station—Syslog traps can be configured to be sent to an SNMP
management station.
Subscribe to:
Posts (Atom)