Configuring the Cisco Security Appliance to Send Syslog Messages to a Log Server

Configuring the Cisco Security Appliance to Send Syslog Messages to a Log
Server
Configuring a Security Appliance to send logging information to a server helps you collect
and maintain data that can later be used for forensic and data traffic analysis. The Security
Appliance syslog messages are usually sent to a syslog server or servers. The Security
Appliance uses UDP port 514 by default to send syslog messages to a syslog server. The
syntax for configuring the Security Appliance Firewall to send syslog messages to a syslog
server is as follows:
Pixfirewall(config)#Logging host [interface] ip_address [tcp[/port] | udp[/port]]
[format emblem]
The variables [interface] and ip-address are replaced with the name of the interface on which
the syslog resides and the Internet Protocol (IP) address of the syslog server, respectively. The
Cisco Security Appliance supports the EMBLEM format. EMBLEM syslog format is designed
to be consistent with the Cisco IOS Software format and is more compatible with CiscoWorks
management applications, such as Resource Manager Essentials (RME) syslog analyzer. Use
the option format emblem to send messages to the specified server in EMBLEM format.
The following steps show you how to configure a Security Appliance to send syslog messages:
Step 1 Designate a host to receive the messages with the logging host
command:
Pixfirewall(config)#logging host inside 10.1.1.10
NOTE This option is available only for UDP syslog messages, used by the RME syslog
analyzer.
260 Chapter 10: Syslog and the Cisco Security Appliance
You can specify additional servers so that if one goes offline, another is
available to receive messages.
Step 2 Set the logging level with the logging trap command:
Pixfirewall(config)#logging trap informational
If needed, set the logging facility command to a value other than its
default of 20. Most UNIX systems expect the messages to arrive at
facility 20.
Step 3 Start sending messages with the logging on command. To disable
sending messages, use the no logging command.
Step 4 To view your logging setting, enter show logging.
Centrally managing several Cisco Security Appliances can be challenging if you cannot
identify the origin of a particular message that is sent to the central log server. The Security
Appliance supports defining a unique device ID for log messages sent to a syslog server. If
several Security Appliances are configured to send their syslog messages to a single syslog
server, a unique identification can be configured so the message source can be identified. To
enable this option, use the following command:
logging device-id {hostname | ipaddress if_name | string text}
Table 10-4 gives a description of the parameters of the logging device-id command.
NOTE In the event that all syslog servers are offline, the Cisco Security Appliance stores
up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer
starting from the first line. PIX buffer logging is enabled by the command logging buffered
level.
Table 10-4 logging device-id Command Parameters
Parameter Description
hostname The name of the Security Appliance
ipaddress Specifies to use the IP address of the specified Security Appliance interface to
uniquely identify the syslog messages from the PIX Firewall
if-name The name of the interface with the IP address that is used to uniquely identify
the syslog messages from the Security Appliance
string text Specifies the text string to uniquely identify the syslog messages from the
Security Appliance
Configuring the ASDM to View Logging 261
When this feature is enabled, the message will include the specified device ID (either the
hostname or IP address of the specified interface—even if the message comes from another
interface—or a string) in messages sent to a syslog server. The Cisco Security Appliance will
insert the specified device ID into all non-EMBLEM-format syslog messages.
To disable this feature, use the following command:
no logging device-id
Configuring SNMP

Sending Syslog Messages to a Telnet Session

Sending Syslog Messages to a Telnet Session
Remotely troubleshooting or viewing real-time Security Appliance traffic patterns can be
done by configuring the PIX to send logging information to a Telnet session. The logging
monitor command configures the Security Appliance to send syslog messages to Telnet
sessions. For example, after logging into configuration mode, enter the following:
Pixfirewall (config)#logging monitor 6
Pixfirewall(config)#terminal monitor
In this example, syslog messages 0 to 6, or emergency to informational, are sent to a Telnet
session. To disable logging to Telnet, you use the no logging monitor command.
The terminal monitor displays messages directly to the Telnet session. You can disable the
direct display of messages by entering the terminal no monitor command. A Telnet session
sometimes is lost in busy networks when the logging monitor command is used.

Configuring Syslog Messages at the Console

Configuring Syslog Messages at the Console
Configuring logging on the console interface is useful when you are troubleshooting or
observing traffic patterns directly from a Security Appliance. This gives you real-time
information about what is happening on the Security Appliance. To configure logging at the
Security Appliance console interface, use the logging console command as follows. After
logging into configuration mode, enter the following:
Pixfw(config)#logging on
Pixfw(config)#logging console 5
The 5 indicates the logging level. In this case, it is logging notification. From the console, you
can see the logs in real time.

Configuring the ASDM to View Logging

Configuring the ASDM to View Logging
The ASDM Log panel, shown in Figure 10-1, allows you to view syslog messages that are
captured in the ASDM Log buffer in the Security Appliance memory. You may select the level
of syslog messages you want to view. When you view the ASDM Log, all the buffered syslog
messages at and below the logging level you choose are displayed.
loggin device -id n Sets the device ID that will be logged with a syslog
message.
logging host [interface] ip_address Specifies the host that receives the syslog messages.
[protocol/ port] A Cisco Security Appliance can send messages across
UDP or TCP (which you specify by setting the protocol
variable). The default UDP port is 514. The default
TCP port is 1470.
logging history severity_level Sets the logging level for SNMP traps.
logging queue msg_count Specifies how many syslog messages can appear in the
message queue while waiting for processing. The
default is 512 messages. Use the show logging queue
command to view queue statistics.
logging timestamp Specifies that each message sent to the syslog server
should include a timestamp to indicate when the event
occurred.
logging trap n Sets the logging level for syslog messages.
show logging disabled Displays a complete list of disabled syslog messages.
show logging Lists the current syslog messages and which logging
command options are enabled.
logging standby Lets the failover standby unit send syslog messages.
Table 10-3 logging Command Parameters (Continued)
Command Description
Configuring the ASDM to View Logging 257
Figure 10-1 ASDM Log Viewer Screen
The ASDM logging panel has the following fields:
■ Logging Level—Enables you to choose the level of syslog messages to view.
To view the logs using the PDM interface, click the View button shown in Figure 10-1. Figure
10-2 shows a sample output of logs viewed from the PDM logging panel.
■ Buffer Limit—Sets the maximum number of log messages that will display. The default
for this value is 1000.
258 Chapter 10: Syslog and the Cisco Security Appliance
Figure 10-2 Sample ASDM Logging Output
ASDM is discussed in further detail in Chapter 15, “Adaptive Security Device Manager.”

Configuring Syslog on a Cisco Security Appliance

Configuring Syslog on a Cisco Security Appliance
The logging command is used to configure logging on the PIX Firewall. Logging is disabled
by default. Table 10-3 describes the parameters of the logging command.
Table 10-3 logging Command Parameters
Command Description
logging on Enables the transmission of syslog messages to all
output locations. You can disable sending syslog
messages with the no logging on command.
no logging message n Allows you to disable specific syslog messages. Use the
logging message message_number command to resume
logging of specific disabled messages.
logging buffered n Stores syslog messages in the Cisco Security Appliance
so that you can view them with the show logging
command. Cisco Systems recommends that you use this
command to view syslog messages when the PIX
Seecurity Appliance is in use on a network.
clear logging Clears the message buffer created with the logging
buffered command.
clear logging message Reenables all disabled syslog messages.
logging console n Displays syslog messages on a Security Appliance
console as they occur. Use this command when you are
debugging problems or when there is minimal load on
the network. Do not use this command when the
network is busy because it can reduce the Security
Appliance performance.
logging monitor n Displays syslog messages when you access the Security
Appliance console with Telnet.
continues
256 Chapter 10: Syslog and the Cisco Security Appliance
Configuring the ASDM to View Logging
The ASDM Log panel, shown in Figure 10-1, allows you to view syslog messages that are
captured in the ASDM Log buffer in the Security Appliance memory. You may select the level
of syslog messages you want to view. When you view the ASDM Log, all the buffered syslog
messages at and below the logging level you choose are displayed.
loggin device -id n Sets the device ID that will be logged with a syslog
message.
logging host [interface] ip_address Specifies the host that receives the syslog messages.
[protocol/ port] A Cisco Security Appliance can send messages across
UDP or TCP (which you specify by setting the protocol
variable). The default UDP port is 514. The default
TCP port is 1470.
logging history severity_level Sets the logging level for SNMP traps.
logging queue msg_count Specifies how many syslog messages can appear in the
message queue while waiting for processing. The
default is 512 messages. Use the show logging queue
command to view queue statistics.
logging timestamp Specifies that each message sent to the syslog server
should include a timestamp to indicate when the event
occurred.
logging trap n Sets the logging level for syslog messages.
show logging disabled Displays a complete list of disabled syslog messages.
show logging Lists the current syslog messages and which logging
command options are enabled.
logging standby Lets the failover standby unit send syslog messages.

How to Read System Log Messages

How to Read System Log Messages
System log messages received at a syslog server begin with a percent sign (%) and are
structured as follows:
%PIX-level-message-number: message-text
Example 10-1 Changing the Level of a Syslog Message
pixfirewall(config)#n
syslog 403503: default-level errors (enabled)
rpixfirewall(config)#logging message 403503 level 6
pixfirewall(config)#show logging message 403503
syslog 403503: default-level errors, current-level informational (enabled)
Configuring Syslog on a Cisco Security Appliance 255
■ PIX identifies the message facility code for messages generated by the Cisco Security
Appliance.
■ level reflects the severity of the condition described by the message. The lower the
number, the more serious the condition.
■ message-number is the numeric code that uniquely identifies the message.
■ message-text is a text string describing the condition. This portion of the message
sometimes includes IP addresses, port numbers, or usernames.
You can find more information on syslog messages at http://www.cisco.com/en/US/products/
sw/secursw/ps2120/products_system_message_guide_book09186a00801582a9.html.

How Log Messages Are Organized

How Log Messages Are Organized
Syslog messages are listed numerically by message code. Each message is followed by a brief
explanation and a recommended action. If several messages share the same explanation and
recommended action, the messages are presented together, followed by the common
explanation and recommended action.
The explanation of each message indicates what kind of event generated the message.
Possible events include the following:
■ Authentication, authorization, and accounting (AAA) events
■ Connection events (for example, connections denied by the PIX configuration or address
translation errors)
■ Failover events reported by one or both units of a failover pair
■ File Transfer Protocol (FTP)/Uniform Resource Locator (URL) events (for example,
successful file transfers or blocked Java applets)
■ Mail Guard/SNMP events
■ Security Appliance management events (for example, configuration events or Telnet
connections to the Security Appliance console port)
■ Routing errors