C H A P T E R 8
Syslog
System logging, otherwise known as syslog, on the Cisco PIX Firewall makes it possible for you as an administrator to gather information about the PIX unit’s traffic and performance. You can use syslog messages generated by the PIX to troubleshoot and analyze suspicious activity on the network.
This chapter describes how to configure syslog on the Cisco PIX Firewall and interpret the messages it generates.
“Do I Know This Already?” Quiz
The purpose of this quiz is to help you determine your current understanding of the topics covered in this chapter. Write down your answers and compare them to the answers in Appendix A. If you have to look at any references to correctly answer the questions, it is a good idea to read the chapter. Device activity and performance logging are very important network functions that too often are given a lower priority by many network administrators. This chapter helps you understand how syslog works on the Cisco PIX Firewall unit and how to configure it. The concepts in this chapter are the foundation of much of what you need to understand to pass the CSPFA Certification Exam. Unless you do exceptionally well on the “Do I Know This Already?” pretest and are 100% confident in your knowledge of this area, you should read through the entire chapter.
1What port does syslogd listen on by default?
2What is the total number of logging facilities available for syslog configuration?
3True or false: If the PIX is set to Warning level, critical, alert, and emergency messages are sent in addition to warning messages.
4What is the command for sending syslog messages to Telnet sessions?
5What is the logging trap command used for?
6What is the command used to enable logging on the failover PIX unit?
7Why would you use the timestamp command parameter?
8What is PFSS?
130 Chapter 8: Syslog
Foundation Topics
How Syslog Works
The syslog message facility in the Cisco PIX Firewall is a useful means to view troubleshooting messages and to watch for network events such as attacks and denials of service. The Cisco PIX Firewall reports on events and activities via syslog messages, which report on the following:
•System status—When the Cisco PIX Firewall reboots or a connection via Telnet or the console is made or disconnected.
•Accounting—The number of bytes transferred per connection.
•Security—Dropped UDP packets and denied TCP connections.
•Resources—Notification of connection and translation slot depletion.
It is important to become familiar with the logging process and logging command parameters on the PIX before you dive in and start configuring the PIX for logging. Syslog messages can be sent to a couple of different output destinations on or off the PIX unit:
•PDM logging—Logging messages can be sent to the PIX Device Manager (PDM).
•Console—Syslog messages can be configured to be sent to the console interface, where the PIX administrator (you) can view the messages in real time as they happen when you’re connected to the console interface.
•Internal memory buffer—Syslog messages can be sent to the buffer.
•Telnet console—Syslog messages can also be configured to be sent to Telnet sessions. This configuration helps you remotely administer and troubleshoot PIX units without your being physically present at the same location as the firewall.
•Syslog servers—This type of configuration is particularly useful for storing syslog messages for analysis on performance, trends, and packet activities on the PIX unit. Syslog messages are sent to UNIX servers/workstations running a syslogd daemon or to Windows NT servers running PIX Firewall Syslog Server (PFSS).
•SNMP Management station—Syslog traps can be configured to be sent to an SNMP management station.
After you decide where to send the syslog messages, you have to decide what type of messages you want to see at your output destination.
All syslog messages have a severity level; however, not all syslog messages are required to have a facility.
How Syslog Works 131
Logging Facilities
When syslog messages are sent to a server, it is important to indicate what pipe the PIX will send the messages through. The single syslog service, syslogd, can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe on which the information arrives. Syslogd is a daemon/service that runs on UNIX machines. In this analogy, the logging facilities are the pipes by which syslogd decides where to send information it receives—that is, which file to write to.
Eight logging facilities (16 through 23) are commonly used for syslog on the PIX. On the syslog server, the facility numbers have a corresponding identification—local0 to local7. The following are the facility numbers and their corresponding syslog identification:
•
•
•
•
•
•
•
•
local0(16)
local1(17)
local2(18)
local3(19)
local4(20)
local5(21)
local6(22)
local7(23)
The default facility is local4(20). To change the default logging facility on the PIX, you use the logging facility facility command. The following command shows the logging facility changed to 21:
Pix(config)# logging facility 21
Logging Levels
Different severity levels are attached to incoming messages. You can think of these levels as indicating the type of message. The PIX can be configured to send messages at different levels. Table 8-1 lists these levels from highest to lowest importance.
Table 8-1 |
Logging Severity Levels |
|
|
|
|
|
|
|
Level |
Numeric Code |
System Condition |
|
|
|
|
|
Emergency |
0 |
System unusable message |
|
|
|
|
|
Alert |
1 |
Take immediate action |
|
|
|
|
|
Critical |
2 |
Critical condition |
|
|
|
|
|
Error |
3 |
Error message |
|
|
|
|
|
Warning |
4 |
Warning message |
|
|
|
|
|
Notification |
5 |
Normal but significant condition |
|
|
|
|
|
Informational |
6 |
Information message |
|
|
|
|
|
Debug |
7 |
Debug message, log FTP commands, and WWW URLs |
|
|
|
|
132 Chapter 8: Syslog
Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the syslog message. The default severity level is 3 (Error). During configuration, you can specify the severity level as either a number or a keyword, as described in Table 8-1. The level you specify causes the Cisco PIX Firewall to send the messages of that level and below to the output location. For example, if you specify severity level 3 (error), the PIX sends 0 (emergency);severity level 1 (alert); 2 (critical); and 3 (error) messages to the output location.
Configuring Syslog on the Cisco PIX Firewall
The logging command is used to configure logging on the PIX. Logging is disabled by default. Table 8-2 describes the logging command’s parameters.
Table 8-2 logging Command Parameters
Command |
Description |
logging on |
Enables the transmission of syslog messages to all output locations. |
|
You can disable sending syslog messages with the no logging on |
|
command. |
|
|
no logging message n |
Allows you to disable specific syslog messages. Use the logging |
|
message message_number command to resume logging of specific |
|
disabled messages. |
|
|
logging buffered n |
Stores syslog messages in the PIX Firewall so that you can view them |
|
with the show logging command. Cisco recommends that you use |
|
this command to view syslog messages when the PIX Firewall is in |
|
use in a network. |
|
|
clear logging |
Clears the message buffer created with the logging buffered |
|
command. |
|
|
clear logging message |
Re-enables all disabled syslog messages. |
|
|
logging console n |
Displays syslog messages on the PIX Firewall console as they occur. |
|
Use this command when you are debugging problems or when there |
|
is minimal load on the network. Do not use this command when the |
|
network is busy, because it can reduce PIX Firewall performance. |
|
|
logging monitor n |
Displays syslog messages when you access the PIX Firewall console |
|
with Telnet. |
|
|
logging host [interface] |
Specifies the host that receives the syslog messages. The PIX |
ip_address [protocol/ |
Firewall can send messages across UDP or TCP (which you specify |
port] |
by setting the protocol variable). The default UDP port is 514. The |
|
default TCP port is 1468. |
|
|
logging history |
Sets the logging level for SNMP traps. |
severity_level
Configuring Syslog on the Cisco PIX Firewall 133
Table 8-2 logging Command Parameters (Continued) (Continued)
Command |
Description |
logging queue |
Specifies how many syslog messages can appear in the message |
msg_count |
queue while awaiting processing. The default is 512 messages. Use |
|
the show logging queue command to view queue statistics. |
|
|
logging trap n |
Sets the logging level for syslog messages. |
|
|
show logging disabled |
Displays a complete list of disabled syslog messages. |
|
|
show logging |
Lists the current syslog messages and which logging command |
|
options are enabled. |
|
|
logging standby |
Lets the failover standby unit send syslog messages. |
|
|
Configuring the PIX Device Manager to View Logging
The PDM Logging panel, shown in Figure 8-1, allows you to view syslog messages that are captured in the PDM Log buffer in PIX Firewall memory. You may select the level of syslog messages you want to view. When you view the PDM Log, all the buffered syslog messages at and below the logging level you choose are displayed.
Figure 8-1 PDM Logging Interface
134 Chapter 8: Syslog
The PDM Logging panel has the following fields:
• Logging Level—Allows you to choose the level of syslog messages to view.
PDM is discussed in further detail in Chapter 11, “PIX Device Manager.”
Configuring Syslog Messages at the Console
Use the logging console command to send the syslog messages to the console interface on the Cisco PIX Firewall:
Step 1 After logging into configuration mode, enter the following:
logging on
logging console 5
The 5 indicates the logging level. In this case, it is logging notification.
Step 2 View the messages with the following command:
show logging
Viewing Messages in a Telnet Console Session
Use the logging monitor command to configure the PIX to send syslog messages to Telnet sessions. For example, after logging into configuration mode, enter the following:
logging monitor 6 terminal monitor
In this example, syslog messages 0 to 6, or emergency to informational, are sent to a Telnet session. To disable logging to Telnet, you use the no logging monitor command.
The terminal monitor displays messages directly to the Telnet session. You can disable the direct display of messages by entering the terminal no monitor command. A Telnet session sometimes is lost in busy networks when the logging monitor command is used.
Configuring the Cisco PIX Firewall to Send Syslog Messages to a Log Server
PIX syslog messages are usually sent to a syslog server or servers. The syslog servers run the syslogd daemon, which is already built into UNIX systems and that comes as the addon PFSS in Windows NT 4.0. PIX uses UDP 514 by default to send syslog messages to a syslog server. The following steps show you how to configure the PIX to send syslog messages:
Step 1 Designate a host to receive the messages with the logging host command:
logging host inside 10.1.1.10
Configuring a Syslogd Server 135
You can specify additional servers so that if one goes offline, another is available to receive messages.
Step 2 Set the logging level with the logging trap command:
logging trap informational
If needed, set the logging facility command to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20.
NOTE In the event that all syslog servers are offline, the Cisco PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.
Step 3 Start sending messages with the logging on command. To disable sending messages, use the no logging command.
Configuring a Syslogd Server
Because syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the nonUNIX syslog server, refer to the vendor’s documentation.
NOTE Configuring the syslog server is not covered on the PIX exam.
To configure syslog on UNIX, follow these steps:
Step 1 On SunOS, AIX, HPUX, or Solaris, as root, make a backup of the /etc/ syslog.conf file before modifying it.
Step 2 Modify /etc/syslog.conf to tell the UNIX system how to sort out the syslog messages coming in from the sending devices—that is, which logging_facility.level goes in which file. Make sure there is a tab between the logging_facility.level and file_name.
Step 3 Make sure the destination file exists and is writable.
136 Chapter 8: Syslog
Step 4 The #Comment section at the beginning of syslog.conf usually explains the syntax for the UNIX system.
Step 5 Do not put file information in the ifdef section.
Step 6 As root, restart syslogd to pick up changes.
For example, if /etc/syslog.conf is set for
local7.warn /var/log/local7.warn
warning, error, critical, alert, and emergency messages coming in on the local7 logging facility are logged in the local7.warn file. Notification, informational, and debug messages coming in on the local7 facility are not logged anywhere.
If /etc/syslog.conf is set for
*.debug /var/log/all.debug
all message levels from all logging facilities go to this file.
PIX Firewall Syslog Server (PFSS)
PFSS lets you view PIX Firewall event information from a Windows NT system. It includes special features not found on other syslog servers:
•
•
The ability to receive syslog messages via TCP or UDP
Full reliability, because messages can be sent via TCP
PFSS can receive syslog messages from up to ten PIX units. You can install this product for use with any model of Cisco PIX Firewall. If you have specified that the PIX send syslog messages via TCP, the Windows NT disk might become full, and the PIX unit stops its traffic. If the Windows NT file system is full, the Windows system beeps, and the PFSS disables all TCP connections from the PIX unit(s) by closing its TCP listen socket. The PIX tries to reconnect to the PFSS five times, and during the retry, it stops all new connections through the PIX.
Configuring SNMP Traps and SNMP Requests
SNMP requests can be used to query the PIX on its system status information. If you want to send only the cold start, link up, and link down generic traps, no further configuration is required. SNMP traps send information about a particular event only when the configured threshold is reached.