How Log Messages Are Organized 137
To configure the PIX to receive SNMP requests from a management station, you need to
•Configure the IP address of the SNMP management station with the snmp-server host command.
•Set the snmp-server options for location, contact, and the community password as required.
To configure SNMP traps on the PIX, you need to
•Configure the IP address of the SNMP management station with the snmp-server host command.
•Set the snmp-server options for location, contact, and the community password as required.
•Set the trap with the snmp-server enable traps command.
•Set the logging level with the logging history command.
How Log Messages Are Organized
Syslog messages are listed numerically by message code. Each message is followed by a brief explanation and a recommended action. If several messages share the same explanation and recommended action, the messages are presented together, followed by the common explanation and recommended action.
The explanation of each message indicates what kind of event generated the message. Possible events include the following:
•AAA (accounting, authentication, and authorization) events
•Connection events (for example, connections denied by the PIX configuration or address translation errors)
•Failover events reported by one or both units of a failover pair
•FTP/URL events (for example, successful file transfers or blocked Java applets)
•Mail Guard/SNMP events
•PIX management events (for example, configuration events or Telnet connections to the PIX console port)
•Routing errors
138 Chapter 8: Syslog
How to Read System Log Messages
System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:
%PIX-level-message_number: message_text
•PIX identifies the message facility code for messages generated by the PIX Firewall.
•level reflects the severity of the condition described by the message. The lower the number, the more serious the condition.
•message_number is the numeric code that uniquely identifies the message.
•message_text is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames.
You can find more information on syslog messages at www.cisco.com/univercd/cc/td/doc/ product/iaabu/pix/pix_v52/syslog/pixemsgs.htm#11493.
Disabling Syslog Messages
It is possible to single out syslog messages that you do not want to receive by simply instructing the PIX not to log that particular message. Table 8-3 shows the commands used to manage the type of individual syslog messages sent by the Cisco PIX Firewall.
Table 8-3 |
Syslog Message Management Commands |
|
|
|
|
|
Command |
Description |
|
|
|
|
no logging message message_number |
Disables syslog messages. |
|
|
|
|
show logging disabled |
Displays a list of disabled syslog messages. |
|
|
|
|
logging message message_number |
Re-enables disabled syslog messages. |
|
|
|
|
clear logging message |
Re-enables all disabled syslog messages. |
|
|
|
Foundation Summary 139
Foundation Summary
The syslog message facility in the Cisco PIX Firewall is a useful means to view troubleshooting messages and to watch for network events such as attacks and service denials. Syslog messages can be configured to be sent to
•
•
•
•
•
•
PDM logging
Console
Telnet console
Internal memory/buffer
Syslog server
SNMP management station
Common to all ways of viewing syslog messages is the message’s level, or severity. The level specifies the types of messages sent to the syslog host, as shown in Table 8-4.
Table 8-4 |
Logging Severity Levels |
|
|
|
|
|
|
|
Level |
Numeric Code |
System Condition |
|
|
|
|
|
Emergency |
0 |
System unusable message |
|
|
|
|
|
Alert |
1 |
Take immediate action |
|
|
|
|
|
Critical |
2 |
Critical condition |
|
|
|
|
|
Error |
3 |
Error message |
|
|
|
|
|
Warning |
4 |
Warning message |
|
|
|
|
|
Notification |
5 |
Normal but significant condition |
|
|
|
|
|
Informational |
6 |
Information message |
|
|
|
|
|
Debug |
7 |
Debug message, log FTP commands, and WWW URLs |
|
|
|
|
System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:
%PIX-level-message_number: message_text
You can set the level with the logging command so that you can view syslog messages on the PIX Firewall console, from a syslog server, or with SNMP.
140 Chapter 8: Syslog
Q&A
The questions in this section are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix .
1What is the command for sending syslog messages to the Telnet session?
A logging console
Blogging monitor
Ctelnet logging
Dsend log telnet
2What is the logging trap command used for?
3True or false: PFSS stands for PIX Firewall System Solution.
4PIX Firewall can be configured to send syslog messages to all of the following except which one?
AConsole
BTelnet
CSerial
DSyslog server
5Which of the following is not an example of a severity level for syslog configuration?
A Emergency
B Alert
CPrepare
DWarning
6 What is syslogd?
AA message type that forms the syslog services
BA service that runs on UNIX machines
CA hardware subcomponent that is required for syslog configuration on the PIX
DIt gathers information on IT businesses in Japan.
Q&A 141
7What port does syslogd use by default?
A UDP 512
B TCP 514
C TCP 512
D UDP 514
8True or false: The default facility number on the PIX Firewall is 18.
9How are syslog messages organized?
AThey are listed numerically by message code.
BThey are listed by importance level.
CThey are listed by date.
DThey are not organized.
10True or false: It is possible to disable specific syslog messages.
11Windows NT 4.0 server can work as a syslog server with what?
A IIS configured for logging
B PIX Firewall Syslog Server application installed
C PIX Device Manager
D UNIX
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-111):
33.Understanding failover
34.Failover configuration
35.LAN-based failover configuration