Syslog
Syslog is one of the best accepted methods for capturing and extenuative log messages.
In adjustment for syslog to work, you charge to configure the host that will send
the syslog letters as able-bodied as the syslog server, which will acquire the syslog messages.
In our case, the PIX firewall will be the host sending the log letters to a
syslog server, which can be Linux/UNIX,Windows, or alike Macintosh based.
The syslog server determines area to abode the log messages. Depending on
which syslog server software is actuality acclimated and how it is configured, the syslog
294 Affiliate 6 • Configuring Arrangement Management
server may abode the letters to a book or accelerate an active to an architect by e-mail
or pager.
On a archetypal action network, depending on the configured logging level, a
busy PIX firewall can log letters to use up several gigabytes of amplitude a day on
the syslog server. A advisable architect will set accumulator banned on his syslog server
(usually in megabytes) and configure it to overwrite earlier letters as needed,
thus ensuring that accessible accumulator amplitude is not overrun.
As declared previously, back logging on the PIX is disabled by default, you
need to accredit it:
PIX1(config)# logging on
To configure syslog on the PIX, you aboriginal charge to acquaint the firewall which host
to accelerate the syslog letters to.To do this, use the afterward command:
logging host [
The interface constant specifies the interface you appetite to accelerate the messages
out on, and the ip_address constant specifies the IP abode of the syslog server
on that interface. If not specified, the interface is affected to be the central interface.
No log letters will be beatific to syslog until you configure the logging level
using the afterward command:
logging allurement
The akin constant specifies the severity level, as discussed after in this chapter.
Here is an archetype of configuring syslog on the PIX firewall:
PIX1(config)# logging host central 192.168.50.8
PIX1(config)# logging allurement debugging
PIX1(config)# logging on
PIX1(config)#
PIX1# appearance logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: akin debugging, 38 letters logged
Configuring Arrangement Management • Affiliate 6 295
Logging to central 192.168.50.8
History logging: disabled
In this example, logging is configured to accelerate letters to the syslog server
192.168.50.8 on the central interface with a severity akin of debugging.
When configured to use syslog, the PIX firewall will accelerate the log letters to
the syslog server application UDP anchorage 514 by default.You can change this default
behavior by entering the best anatomy of the logging host command:
logging host [
You can configure either UDP or TCP for syslog, and the port_number
parameter can be any amount from 1025 to 65535.TCP is not a accepted method
for administration syslog, and best servers do not abutment it, but it can accommodate reliable
logging. If you will be application a TCP affiliation to the syslog server, there is an
important admonishing to remember: If the syslog server goes bottomward back you're
using TCP, the absence behavior for the PIX firewall is that all arrangement traffic
through the PIX will be blocked. Also important to bethink back configuring
TCP syslog is that the syslog affiliation will be slower than UDP back TCP
relies on the three-way handshake to alpha a affiliation and anniversary packet charge be
acknowledged.This will add to the aerial of the affiliation and apathetic the
sending of syslog letters to the server.
In the afterward example, we configure syslog application TCP.The port_number
parameter has been set to 1468, which is the absence TCP anchorage acclimated by syslog
servers that acquire TCP syslog from PIX firewalls. Do not balloon to configure
the syslog server to acquire on TCP anchorage 1468 for syslog messages.
PIX1(config)# logging host central 192.168.50.9 tcp/1468
PIX1(config)# logging allurement debugging
PIX1(config)# logging on
PIX1(config)#
PIX1# appearance logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: akin debugging, 31 letters logged
www.syngress.com
296 Affiliate 6 • Configuring Arrangement Management
Logging to central 192.168.50.9 tcp/1468
History logging: disabled
Although the PIX firewall can acquire assorted logging hosts configured, it can
only use a distinct agreement with anniversary logging host. In the accident that your syslog
server is offline, the PIX will alpha to chain the syslog letters in anamnesis and
then alpha to overwrite the captivated messages, starting with the oldest first.The
following command is acclimated to configure the admeasurement of the syslog bulletin queue
in memory:
logging chain
The absence is 512 messages.The msg_count constant specifies the admeasurement of the
syslog bulletin queue. If msg_count is set to 0, the chain admeasurement is absolute and
based on the accessible block memory.
To see the chain statistics and any alone bulletin statistics, use the following
command:
PIX1# appearance logging queue
Logging Chain breadth absolute : 512 msg(s)
Current 3 msg on queue, 5 msgs best on queue
One of the Cisco PIX firewall’s appearance is the adeptness to acquire a failover PIX.
One logging command allows the failover PIX to accelerate syslog letters in order
for the log files to be synchronized in the case of stateful failover demography place.
This command, logging standby, is disabled by absence back it will bifold the
amount of syslog cartage on the network. Once it is enabled, you can about-face off this
command application the no logging standby command.
To ensure that the syslog letters are beatific to the syslog server with a timestamp,
configure the logging timestamp command in agreement mode.This command
requires that the alarm command be set on the PIX.To about-face off timestamps,
use the no logging timestamp command in Agreement mode.
NOTE
Sometimes it is abandoned that the syslog letters are beatific in apparent text
and should not be advised secure. In Figure 6.1, we can see a Sniffer
capture, which shows that the log bulletin is in bright text. If you are
sending log files beyond WAN links or the Internet or acquire a charge for high
security, you should accede application an encrypted articulation to address syslog
messages.
Many syslog server applications are accessible for both Microsoft Windows and
Linux/UNIX.Virtually all Linux/UNIX systems acquire syslog enabled for logging
local messages, and it alone takes some accessory adjustments to accredit alien logging.
Microsoft Windows requires that a syslog server be installed back syslog
services are not a allotment of the operating system. One accepted best for a
Microsoft Windows syslog server is the Kiwi Syslog Daemon, accessible at
www.kiwisyslog.com, which runs on all versions of Windows, from Windows 98
to Windows XP.With Windows NT and Windows 2000, the Kiwi Syslog
Daemon can be installed as a service.The Kiwi Syslog Server can be configured
to use either UDP or TCP to acquire syslog letters from the Cisco PIX firewall.
Figure 6.2 shows the Kiwi Syslog Apparition absence log screen.
Another best is the chargeless PIX Firewall Syslog Server (PFSS) available
from Cisco. If you acquire admission to Cisco CCO, you can download PFSS at
www.cisco.com/cgi-bin/tablebuild.pl/pix. PFSS is a actual basal syslog server for
Windows that can use either UDP or TCP syslog with the Cisco PIX firewall.
PFSS runs beneath Windows NT as a account and does not abutment Windows 95,
Windows 98, or Windows ME. Unlike Kiwi Syslog Server, the PFSS bulletin log
file is actual basal in presentation, as apparent in Figure 6.3.
Configuring Arrangement Management • Affiliate 6 297
www.syngress.com
Figure 6.1 Sniffer Syslog Trace
298 Affiliate 6 • Configuring Arrangement Management
Figure 6.2 The Kiwi Syslog Server Absence Log Screen
Figure 6.3 The Cisco PFSS Log File
Configuring Arrangement Management • Affiliate 6 299
In the apple of Linux/UNIX, syslog is commonly a account or apparition that has
been installed by absence to accommodate bounded bulletin logging. Some accessory configuration
changes ability charge to be fabricated to accredit alien syslog functions.The
daemon that controls syslog on Linux/UNIX is alleged syslogd.This apparition is
part of the accustomed startup of a Linux box. In the abstracts that follow, we use
RedHat 7.1 as the Linux server.
The aboriginal claim is to reconfigure syslogd to acquire alien syslog messages.
Log into the Linux apparatus with able permissions and again use the ps
command to verify that syslogd is running:
linux1# ps -ef | grep syslogd
root 2000 1 0 22:03 ? 00:00:00 syslogd -m 0
As you can see from the achievement of this command, on this accurate machine
the syslog apparition is active and has a action ID of 2000. In adjustment for the
Linux syslog apparition to acquire letters from alien hosts, the syslog configuration
needs to be afflicted by abacus -r to the startup configuration.This is
accomplished by alteration the /etc/sysconfig/syslog book and abacus -r to the
SYSLOGD_OPTIONS so that it looks like this:
SYSLOGD_OPTIONS="-m 0 -r"
We will now restart the syslog apparition by application the afterward command:
linux1# /etc/rc.d/init.d/syslog restart
When syslogd has restarted, you should verify that it is active by arising the
ps command again:
linux1# ps -ef | grep syslogd
root 2160 1 0 22:05 ? 00:00:00 syslogd -m 0 –r
The arrangement should now be accessible to acquire syslog letters from alien hosts.