There is a catch with Cisco SecurePIX logging facility statement. The number you have to pass as a parameter is not the number of the "local" facility, but the low level facility number. local4 is 20, and is the default. Facility 4 is auth. See http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer ence_chapter09186a00801727a9.html#wp1028090 <http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refe rence_chapter09186a00801727a9.html#wp1028090> -----Original Message----- From: Ben Whittaker [mailto:ben_whittaker@yahoo.com] Sent: Thursday, June 10, 2004 2:04 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Cisco Pix configuration Still do not have it worked out. Please help Pix logging on logging timestamp logging trap notifications logging facility 4 logging queue 1024 logging host inside 10.1.1.18 test:/etc/syslog-ng # more syslog-ng.conf # # /etc/syslog-ng/syslog-ng.conf # # Automatically generated by SuSEconfig on Wed Jun 9 19:16:34 EDT 2004. # # PLEASE DO NOT EDIT THIS FILE! # # you can modify /etc/syslog-ng/syslog-ng.conf.in instead # # # File format description can be found in syslog-ng.conf(5). # options { long_hostnames(off); sync(0); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the following line will be replaced by the # socket list generated by SuSEconfig using # variables from /etc/sysconfig/syslog: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: # #udp(ip("0.0.0.0") port(514)); }; # # filter definitions # filter f_console { level(warn) and facility(kern) or level(err) and not facility(authpriv); }; filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_warn { level(warn, err, crit); }; filter f_alert ; { level(alert); }; filter f_messages { not facility(news, mail); }; filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); }; filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; # # print most on tty10 and on the xconsole pipe # destination console { file("/dev/tty10"); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole"); }; log { source(src); filter(f_console); destination(xconsole); }; # enable this, if you want that root is informed # immediately, e.g. of logins #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); }; # # these files are rotated and examined by "news.daily" # destination newscrit { file("/var/log/news/news.crit"); }; log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err"); }; log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice"); }; log { source(src); filter(f_newsnotice); destination(newserr); }; # # enable this, if you want to keep all news messages # in one file #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); }; # # all email-messages in one file # destination mail { file("/var/log/mail"); }; log { source(src); filter(f_mail); destination(mail); }; # # all cron-messages in one file # #destination cron { file("/var/log/cron"); }; #log { source(src); filter(f_cron); destination(cron); }; # # Some boot scripts require local7 # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; # # all messages except the facilities news and mail # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # enable this, if you want all iptables messages # in one file # #destination firewall { file("/var/log/firewall"); }; #log { source(src); filter(f_iptables); destination(firewall); }; # # Warnings in one file # destination warn { file("/var/log/warn"); }; log { source(src); filter(f_warn); destination(warn); }; # # enable this, if you want to keep all messages in one file #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); }; # PIX source network { udp () ; tcp (); }; log{source(network);filter(f_pix);destination(pixlog);}; destination pixlog { file("/var/log/pix.log"); }; filter f_pix { facility(local4); }; test:/etc/syslog-ng # Bill Nash <billn@billn.net> wrote: What about your log directives? log { source(network); destination(pixlog); flags(final); }; - billn On Wed, 9 Jun 2004, Ben Whittaker wrote:
Yes, Pix was logging to Kiwi
Bill Nash wrote: Stupid question, but: Did you configure your PIX to export logs to your log server?
If it behaves like IOS, it's something as simple as: logging
- billn
On Wed, 9 Jun 2004, Ben Whittaker wrote:
How do I setup syslog-ng for cisco pix.
I have added the following lines to my config
# PIX source network { udp () ; tcp (); };
destination pixlog { file("/var/log/pix.log"); };
filter f_pix { facility(local4); };
but I am not getting any logging to this new syslog server.
__________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
--------------------------------- Do you Yahoo!? Friends . Fun. Try the all-new Yahoo! Messenger
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html _____ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! <http://messenger.yahoo.com/> Messenger ********************************************************************** COLT Telecom Espana S.A. Oficina Registrada en: Telemaco, 5 28027 Madrid Tel. +34 91 789 9000 This message is subject to and does not create or vary any contractual relationship between COLT Telecommunications, its subsidiaries or affiliates ("COLT") and you. Internet communications are not secure and therefore COLT does not accept legal responsibility for the contents of this message. Any view or opinions expressed are those of the author. The message is intended for the addressee only and its contents and any attached files are strictly confidential. If you have received it in error, please telephone the number above. Thank you. **********************************************************************