Configuring the Cisco Security Appliance to Send Syslog Messages to a Log
Server
Configuring a Security Appliance to send logging information to a server helps you collect
and maintain data that can later be used for forensic and data traffic analysis. The Security
Appliance syslog messages are usually sent to a syslog server or servers. The Security
Appliance uses UDP port 514 by default to send syslog messages to a syslog server. The
syntax for configuring the Security Appliance Firewall to send syslog messages to a syslog
server is as follows:
Pixfirewall(config)#Logging host [interface] ip_address [tcp[/port] | udp[/port]]
[format emblem]
The variables [interface] and ip-address are replaced with the name of the interface on which
the syslog resides and the Internet Protocol (IP) address of the syslog server, respectively. The
Cisco Security Appliance supports the EMBLEM format. EMBLEM syslog format is designed
to be consistent with the Cisco IOS Software format and is more compatible with CiscoWorks
management applications, such as Resource Manager Essentials (RME) syslog analyzer. Use
the option format emblem to send messages to the specified server in EMBLEM format.
The following steps show you how to configure a Security Appliance to send syslog messages:
Step 1 Designate a host to receive the messages with the logging host
command:
Pixfirewall(config)#logging host inside 10.1.1.10
You can specify additional servers so that if one goes offline, another is
available to receive messages.
Step 2 Set the logging level with the logging trap command:
Pixfirewall(config)#logging trap informational
If needed, set the logging facility command to a value other than its
default of 20. Most UNIX systems expect the messages to arrive at
facility 20.
Step 3 Start sending messages with the logging on command. To disable
sending messages, use the no logging command.
Step 4 To view your logging setting, enter show logging.
Centrally managing several Cisco Security Appliances can be challenging if you cannot
identify the origin of a particular message that is sent to the central log server. The Security
Appliance supports defining a unique device ID for log messages sent to a syslog server. If
several Security Appliances are configured to send their syslog messages to a single syslog
server, a unique identification can be configured so the message source can be identified. To
enable this option, use the following command:
logging device-id {hostname | ipaddress if_name | string text}
logging device-id Command Parameters
Parameter Description
hostname The name of the Security Appliance
ipaddress Specifies to use the IP address of the specified Security Appliance interface to
uniquely identify the syslog messages from the PIX Firewall
if-name The name of the interface with the IP address that is used to uniquely identify
the syslog messages from the Security Appliance
string text Specifies the text string to uniquely identify the syslog messages from the
Security Appliance
When this feature is enabled, the message will include the specified device ID (either the
hostname or IP address of the specified interface—even if the message comes from another
interface—or a string) in messages sent to a syslog server. The Cisco Security Appliance will
insert the specified device ID into all non-EMBLEM-format syslog messages.
To disable this feature, use the following command:
no logging device-id