Logging Facility
Each syslog bulletin has a ability number, which can be anticipation of as area the
message should be logged.Twenty-four altered accessories are accessible (refer to
RFC 3164 for added information), with after codes alignment from 0 to 23.
The eight accessories frequently acclimated for syslog are local0 through local7.You can
think of accessories as pipes arch to the syslogd process.The syslogd action files
or places the letters into the actual log book based on the ability or inbound
pipe. On the PIX firewall, ability agreement is optional. If used, the facility
must be defined application its after code:
logging ability
Table 6.2 shows the ability names associated with anniversary of the numerical
codes.
Table 6.2 Ability After Codes and Names
Numerical Code Name
16 local0
17 local1
18 local2
19 local3
20 local4
21 local5
22 local6
23 local7
The absence ambience for ability agreement on a Cisco PIX is local4 (20). By
changing the ability number, you can absolute the syslog letters from different
Cisco PIX firewalls (or alike altered types and models of devices) to different
files. For example, on a Linux/UNIX machine, the /etc/syslog.conf book is configured
with this:
# PIX Firewall syslog messages
local7.* /var/log/pix/pix1
You can configure the PIX firewall to accelerate syslog letters to the local7 log
file (/var/log/pix/pix1) application the afterward command:
PIX1(config)# logging ability 23
www.syngress.com
Configuring System Management • Chapter 6 303
Now the PIX will accelerate syslog letters to ability local7 on the Linux server.
Any syslog bulletin accession at the Linux syslogd action for ability local7 will be
stored in the /var/log/pix/pix1 log file, admitting any syslog bulletin for local4
(20) will abide to go to the absence bulletin log file.