Logging Levels cisco

Logging Levels

Although the logging command has eight altered severity levels that are acclimated on

the PIX (Levels 0 through 7), logging Akin 0 (emergency) is not used. It is only

represented for affinity with UNIX syslogging.When you configure logging,

you charge specify a severity akin by a cardinal or keyword.When you specify

a level, the PIX firewall logs all contest according to the defined akin as able-bodied as the

levels beneath it. For example, the absence severity akin for the PIX is 3 (error),

which additionally logs Akin 2 (critical), Akin 1 (alert), and Akin 0 (emergency) events.A

complete account of the keywords and agnate levels is apparent in Table 6.1.

www.syngress.com

300 Chapter 6 • Configuring Arrangement Management

Table 6.1 Logging Levels and Messages

Keyword Akin Message

emergency 0 Arrangement unusable

alert 1 Immediate activity needed

critical 2 Analytical condition

error 3 Absurdity condition

warning 4 Warning condition

notification 5 Normal but cogent condition

informational 6 Advisory bulletin only

debugging 7 Only acclimated during debugging

A arrangement log bulletin that the syslog server will accept is structured like this:

%PIX–Level-message_number: Message_text

The syslog letters will be prefaced with a time and date brand and the

source IP address.This will be followed by the Level, which represents the logging

level of the message. For example, the bulletin atom %PIX-2-106016: shows us

that the logging akin for this bulletin is 2 (critical).The message_number is a

numeric cipher that is different for the blazon of message.This archetype of 106016 is

for the bulletin “Deny IP bluff from (IP_addr) to IP_addr on interface int_name.”

When you configure the PIX to attenuate assertive messages, you will use the

numeric cipher to analyze which bulletin to disable.

Here are some sample letters at the assorted logging levels:

 Akin 1

%PIX-1-101002: (Primary) Bad abort over cable.

%PIX-1-101003: (Primary) Abort over cable not affiliated (this unit)

 Akin 2

%PIX-2-106016: Deny IP bluff from (IP_addr) to IP_addr on interface

int_name.

%PIX-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr.

 Akin 3

%PIX-3-201005: FTP abstracts affiliation bootless for IP_addr

%PIX-3-201008: The PIX is abrogating new connections.

www.syngress.com

Configuring Arrangement Management • Chapter 6 301

 Akin 4

%PIX-4-403110: PPP basic interface int_name, user: user missing

MPPE key from aaa server.

%PIX-4-404101: ISAKMP: Bootless to admeasure abode for applicant from

pool pool_id

 Akin 5

%PIX-5-500001: ActiveX agreeable adapted src IP_addr dest IP_addr on

interface int_name.

%PIX-5-500002: Java agreeable adapted src IP_addr dest IP_addr on

interface int_name.

 Akin 6

%PIX-6-109005: Authentication succeeded for user 'user' from

laddr/lport to faddr/fport on interface int_name.

%PIX-6-109006: Authentication bootless for user 'user' from

laddr/lport to faddr/fport on interface int_name.

 Akin 7

%PIX-7-702301: lifetime expiring

%PIX-7-702303: sa_request

The Cisco PIX firewall has the adeptness to log URL and FTP requests. URL

logging catches the URL’s IP abode and the names of any accessed files. FTP

logging shows the IP abode that is actuality accessed, the accomplishments performed (file

retrieved or stored), and the names of the files that were transferred.To enable

URL logging, accredit fixup for HTTP, set the logging akin to 5 (notification),

and attending for the bulletin blazon 304001. For example:

%PIX-5-304001: 192.168.0.10 Accessed URL 10.20.1.20:/index.html

To accredit FTP logging, accredit fixup for FTP, set the logging akin to 6

(informational), and attending for bulletin blazon of 303002. For example:

%PIX-6-303002: 192.168.0.10 Retrieved 10.20.1.20:file1.bin

%PIX-6-303002: 192.168.0.10 Stored 10.20.1.20:file2.bin