If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method. 1. Setup your pix to send all its logs via a certain facility. For example local0. The pix command will look something like "logging facility 16". (note: Facilities have a corresponding ID in PIX IOS. Local0 starts at 16 and increments all the way to local7 which is 23.) 2. Setup the PIX to send its logs via UDP to the loghost server. Assuming Your loghost is on the inside of your PIX the command will look something like this: "logging host inside x.x.x.x". Be careful if you plan to use TCP for logging as the PIX will not allow communication between its interfaces if your syslog server fails! 3. Now modify the syslog-ng.conf file on you loghost with the appropriate destination, filter, and log statements. For example, to capture the PIX logs and send them to a private file we would have: destination pix { file("/var/log/pix"); }; filter f_pix { facility(local0); }; log { source(src); filter(f_pix); destination(pix); }; restart syslog-ng and you should be in business. If you don't see enough information (or too much) play with the PIX's logging levels. There are 7 of them with 7 being the most verbose. Hope that helps. Alex -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Andrew Meyer Sent: Tuesday, December 27, 2005 9:55 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng]Pix problem OK.....is there a way to log/define all 8 logging facilities in syslog-ng this is all new to me, and i'm following a debian tutorial. So any other info you can give me would be awsome. Thank you, Andrew --- Asher Yanich <ayanic01@cs.fiu.edu> wrote:
You will not want to setup TCP syslog from the PIX. Even though the PIX can connect and log via TCP to syslog, any error will cause the PIX to stop logging to syslog.
Here are docs for setting up logging to syslog for pix OS 7.0. I believe the syntaz is the same for 5.x and 6.x but a quick google search should provide you with what you need.
-asher
On 12/27/05, Andrew Meyer <andrewm659@yahoo.com> wrote:
How do I setup a PIX with syslog-ng? what are the values I can use? Do I need to specify the IP addy of the PIX? What about the protocol I want to capture, what if i want to capture UDP and TCP? How would I set it up if i wanted all the data from my PIX to go the syslog-ng server?
Thank you, Andrew Meyer andrewm659@yahoo.com
--- Damien Michau <d.michau@ag.com> wrote:
this is the server actual ip ----- Original Message ----- From: "Bill Nash" <billn@billn.net> To: <syslog-ng@lists.balabit.hu> Sent: Tuesday, May 10, 2005 7:20 PM Subject: Re: [syslog-ng]Pix problem
On Tue, 10 May 2005, Damien Michau wrote:
Hi All ! I have some probleme ta log my pix's log into my syslog-ng server . i have mounted a Syslog-ng server to store my pix's log . But there is nothing in my pix.log i'have put this lines in my syslog-ng.conf
source pix { udp(ip(10.60.10.111) port());}; destination pix { file("/var/log/pix.log"); }; log { source(pix);destination(pix); };
Your source declaration shouldn't be the IP of your pix, it should be the IP on your syslog server you wish your udp socket to listen on. In most cases, this should just be 0.0.0.0 or your servers actual IP.
- billn
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan.
__________________________________________ Yahoo! DSL � Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan. __________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html <p class=MsoNormal><span style='font-size:8.5pt'>This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.</p>
Our network guy changed ti to facility logging level 16 so should i change the local # to 16 correct? --- "SOLIS, ALEX" <asolis@oppd.com> wrote:
If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method.
1. Setup your pix to send all its logs via a certain facility. For example local0. The pix command will look something like "logging facility 16". (note: Facilities have a corresponding ID in PIX IOS. Local0 starts at 16 and increments all the way to local7 which is 23.)
2. Setup the PIX to send its logs via UDP to the loghost server. Assuming Your loghost is on the inside of your PIX the command will look something like this: "logging host inside x.x.x.x". Be careful if you plan to use TCP for logging as the PIX will not allow communication between its interfaces if your syslog server fails!
3. Now modify the syslog-ng.conf file on you loghost with the appropriate destination, filter, and log statements. For example, to capture the PIX logs and send them to a private file we would have:
destination pix { file("/var/log/pix"); }; filter f_pix { facility(local0); }; log { source(src); filter(f_pix); destination(pix); };
restart syslog-ng and you should be in business. If you don't see enough information (or too much) play with the PIX's logging levels. There are 7 of them with 7 being the most verbose.
Hope that helps.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Andrew Meyer Sent: Tuesday, December 27, 2005 9:55 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng]Pix problem
OK.....is there a way to log/define all 8 logging facilities in syslog-ng this is all new to me, and i'm following a debian tutorial. So any other info you can give me would be awsome.
Thank you, Andrew
--- Asher Yanich <ayanic01@cs.fiu.edu> wrote:
You will not want to setup TCP syslog from the PIX. Even though the PIX can connect and log via TCP to syslog, any error will cause the PIX to stop logging to syslog.
Here are docs for setting up logging to syslog for pix OS 7.0. I believe the syntaz is the same for 5.x and 6.x but a quick google search should provide you with what you need.
-asher
On 12/27/05, Andrew Meyer <andrewm659@yahoo.com> wrote:
How do I setup a PIX with syslog-ng? what are the values I can use? Do I need to specify the IP addy of the PIX? What about the protocol I want to capture, what if i want to capture UDP and TCP? How would I set it up if i wanted all the data from my PIX to go the syslog-ng server?
Thank you, Andrew Meyer andrewm659@yahoo.com
--- Damien Michau <d.michau@ag.com> wrote:
this is the server actual ip ----- Original Message ----- From: "Bill Nash" <billn@billn.net> To: <syslog-ng@lists.balabit.hu> Sent: Tuesday, May 10, 2005 7:20 PM Subject: Re: [syslog-ng]Pix problem
On Tue, 10 May 2005, Damien Michau wrote:
Hi All ! I have some probleme ta log my pix's log into my syslog-ng server . i have mounted a Syslog-ng server to store my pix's log . But there is nothing in my pix.log i'have put this lines in my syslog-ng.conf
source pix { udp(ip(10.60.10.111) port());}; destination pix { file("/var/log/pix.log"); }; log { source(pix);destination(pix); };
Your source declaration shouldn't be the IP of your pix, it should be the IP on your syslog server you wish your udp socket to listen on. In most cases, this should just be 0.0.0.0 or your servers actual IP.
- billn
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan.
__________________________________________ Yahoo! DSL � Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
=== message truncated === I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan. __________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/
Inside a syslog packet, facility and severity get munged together for transport, and separated at reception time. They get broken out like this: (these are from /usr/include/sys/syslog.h, for reference) Severity: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ Facility: #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages #define LOG_FTP (11<<3) /* ftp daemon */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */ These are the basis for translating the numeric syslog levels to human readable terms. Since your guy set to facility 16, you should be referencing 'local0'. Alex notes this in his email, but doesn't enumerate it as explicitly. - billn On Fri, 30 Dec 2005, Andrew Meyer wrote:
Our network guy changed ti to facility logging level 16 so should i change the local # to 16 correct?
--- "SOLIS, ALEX" <asolis@oppd.com> wrote:
If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method.
1. Setup your pix to send all its logs via a certain facility. For example local0. The pix command will look something like "logging facility 16". (note: Facilities have a corresponding ID in PIX IOS. Local0 starts at 16 and increments all the way to local7 which is 23.)
2. Setup the PIX to send its logs via UDP to the loghost server. Assuming Your loghost is on the inside of your PIX the command will look something like this: "logging host inside x.x.x.x". Be careful if you plan to use TCP for logging as the PIX will not allow communication between its interfaces if your syslog server fails!
3. Now modify the syslog-ng.conf file on you loghost with the appropriate destination, filter, and log statements. For example, to capture the PIX logs and send them to a private file we would have:
destination pix { file("/var/log/pix"); }; filter f_pix { facility(local0); }; log { source(src); filter(f_pix); destination(pix); };
restart syslog-ng and you should be in business. If you don't see enough information (or too much) play with the PIX's logging levels. There are 7 of them with 7 being the most verbose.
Hope that helps.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Andrew Meyer Sent: Tuesday, December 27, 2005 9:55 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng]Pix problem
OK.....is there a way to log/define all 8 logging facilities in syslog-ng this is all new to me, and i'm following a debian tutorial. So any other info you can give me would be awsome.
Thank you, Andrew
--- Asher Yanich <ayanic01@cs.fiu.edu> wrote:
You will not want to setup TCP syslog from the PIX. Even though the PIX can connect and log via TCP to syslog, any error will cause the PIX to stop logging to syslog.
Here are docs for setting up logging to syslog for pix OS 7.0. I believe the syntaz is the same for 5.x and 6.x but a quick google search should provide you with what you need.
-asher
On 12/27/05, Andrew Meyer <andrewm659@yahoo.com> wrote:
How do I setup a PIX with syslog-ng? what are the values I can use? Do I need to specify the IP addy of the PIX? What about the protocol I want to capture, what if i want to capture UDP and TCP? How would I set it up if i wanted all the data from my PIX to go the syslog-ng server?
Thank you, Andrew Meyer andrewm659@yahoo.com
--- Damien Michau <d.michau@ag.com> wrote:
this is the server actual ip ----- Original Message ----- From: "Bill Nash" <billn@billn.net> To: <syslog-ng@lists.balabit.hu> Sent: Tuesday, May 10, 2005 7:20 PM Subject: Re: [syslog-ng]Pix problem
On Tue, 10 May 2005, Damien Michau wrote:
> Hi All ! > I have some probleme ta log my pix's log into my syslog-ng server . > i have mounted a Syslog-ng server to store my pix's log . But there is > nothing in my pix.log > i'have put this lines in my syslog-ng.conf > > > source pix { udp(ip(10.60.10.111) port());}; > destination pix { file("/var/log/pix.log"); }; > log { source(pix);destination(pix); }; >
Your source declaration shouldn't be the IP of your pix, it should be the IP on your syslog server you wish your udp socket to listen on. In most cases, this should just be 0.0.0.0 or your servers actual IP.
- billn
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan.
__________________________________________ Yahoo! DSL � Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
=== message truncated ===
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan.
__________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I have multiple PIXs', do i have to have a entry for each one of them? If so how do i do this? --- Bill Nash <billn@bacchus.billn.net> wrote:
Inside a syslog packet, facility and severity get munged together for transport, and separated at reception time. They get broken out like this:
(these are from /usr/include/sys/syslog.h, for reference)
Severity: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */
Facility: #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages #define LOG_FTP (11<<3) /* ftp daemon */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */
These are the basis for translating the numeric syslog levels to human readable terms.
Since your guy set to facility 16, you should be referencing 'local0'. Alex notes this in his email, but doesn't enumerate it as explicitly.
- billn
On Fri, 30 Dec 2005, Andrew Meyer wrote:
Our network guy changed ti to facility logging level 16 so should i change the local # to 16 correct?
--- "SOLIS, ALEX" <asolis@oppd.com> wrote:
If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method.
1. Setup your pix to send all its logs via a certain facility. For example local0. The pix command will look something like "logging facility 16". (note: Facilities have a corresponding ID in PIX IOS. Local0 starts at 16 and increments all the way to local7 which is 23.)
2. Setup the PIX to send its logs via UDP to the loghost server. Assuming Your loghost is on the inside of your PIX the command will look something like this: "logging host inside x.x.x.x". Be careful if you plan to use TCP for logging as the PIX will not allow communication between its interfaces if your syslog server fails!
3. Now modify the syslog-ng.conf file on you loghost with the appropriate destination, filter, and log statements. For example, to capture the PIX logs and send them to a private file we would have:
destination pix { file("/var/log/pix"); }; filter f_pix { facility(local0); }; log { source(src); filter(f_pix); destination(pix); };
restart syslog-ng and you should be in business. If you don't see enough information (or too much) play with the PIX's logging levels. There are 7 of them with 7 being the most verbose.
Hope that helps.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Andrew Meyer Sent: Tuesday, December 27, 2005 9:55 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng]Pix problem
OK.....is there a way to log/define all 8 logging facilities in syslog-ng this is all new to me, and i'm following a debian tutorial. So any other info you can give me would be awsome.
Thank you, Andrew
--- Asher Yanich <ayanic01@cs.fiu.edu> wrote:
You will not want to setup TCP syslog from the PIX. Even though the PIX can connect and log via TCP to syslog, any error will cause the PIX to stop logging to syslog.
Here are docs for setting up logging to syslog for pix OS 7.0. I believe the syntaz is the same for 5.x and 6.x but a quick google search should provide you with what you need.
-asher
On 12/27/05, Andrew Meyer <andrewm659@yahoo.com> wrote:
How do I setup a PIX with syslog-ng? what are the values I can use? Do I need to specify the IP addy of the PIX? What about the protocol I want to capture, what if i want to capture UDP and TCP? How would I set it up if i wanted all the data from my PIX to go the syslog-ng server?
Thank you, Andrew Meyer andrewm659@yahoo.com
--- Damien Michau <d.michau@ag.com> wrote:
this is the server actual ip ----- Original Message ----- From: "Bill Nash" <billn@billn.net> To: <syslog-ng@lists.balabit.hu>
=== message truncated ===> _______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan. __________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/
Ok, I'm getting the sense that there's some unfamiliarity with general syslog implementation architectures and methods, so a brief primer. Most syslog setups are a many-to-one style setup. For a given array of servers, routers, firewalls, bananas and/or oranges, a single syslog host is designated as the collection point. Once that is done, all devices that syslog is to be collected from are then configured individually to send their logs to the collection point. The syslog server itself, once configured, normally accepts any syslog traffic you send to it, from any host. Different requirements and networks may dictate otherwise, but this is generally the case. Each individual device must be configured to send it's traffic to the syslog server. I am unaware of any platform that is capable of automatically determining where it's logging should go, and sending it along accordingly. Each PIX, each router, switch, orange, and banana will need to have a directive in their configuration that identifies the syslog server, and the related information involved in sending it along. - billn On Tue, 3 Jan 2006, Andrew Meyer wrote:
I have multiple PIXs', do i have to have a entry for each one of them? If so how do i do this?
--- Bill Nash <billn@bacchus.billn.net> wrote:
Inside a syslog packet, facility and severity get munged together for transport, and separated at reception time. They get broken out like this:
(these are from /usr/include/sys/syslog.h, for reference)
Severity: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */
Facility: #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages #define LOG_FTP (11<<3) /* ftp daemon */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */
These are the basis for translating the numeric syslog levels to human readable terms.
Since your guy set to facility 16, you should be referencing 'local0'. Alex notes this in his email, but doesn't enumerate it as explicitly.
- billn
On Fri, 30 Dec 2005, Andrew Meyer wrote:
Our network guy changed ti to facility logging level 16 so should i change the local # to 16 correct?
--- "SOLIS, ALEX" <asolis@oppd.com> wrote:
If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method.
1. Setup your pix to send all its logs via a certain facility. For example local0. The pix command will look something like "logging facility 16". (note: Facilities have a corresponding ID in PIX IOS. Local0 starts at 16 and increments all the way to local7 which is 23.)
2. Setup the PIX to send its logs via UDP to the loghost server. Assuming Your loghost is on the inside of your PIX the command will look something like this: "logging host inside x.x.x.x". Be careful if you plan to use TCP for logging as the PIX will not allow communication between its interfaces if your syslog server fails!
3. Now modify the syslog-ng.conf file on you loghost with the appropriate destination, filter, and log statements. For example, to capture the PIX logs and send them to a private file we would have:
destination pix { file("/var/log/pix"); }; filter f_pix { facility(local0); }; log { source(src); filter(f_pix); destination(pix); };
restart syslog-ng and you should be in business. If you don't see enough information (or too much) play with the PIX's logging levels. There are 7 of them with 7 being the most verbose.
Hope that helps.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Andrew Meyer Sent: Tuesday, December 27, 2005 9:55 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng]Pix problem
OK.....is there a way to log/define all 8 logging facilities in syslog-ng this is all new to me, and i'm following a debian tutorial. So any other info you can give me would be awsome.
Thank you, Andrew
--- Asher Yanich <ayanic01@cs.fiu.edu> wrote:
You will not want to setup TCP syslog from the PIX. Even though the PIX can connect and log via TCP to syslog, any error will cause the PIX to stop logging to syslog.
Here are docs for setting up logging to syslog for pix OS 7.0. I believe the syntaz is the same for 5.x and 6.x but a quick google search should provide you with what you need.
-asher
On 12/27/05, Andrew Meyer <andrewm659@yahoo.com> wrote:
How do I setup a PIX with syslog-ng? what are the values I can use? Do I need to specify the IP addy of the PIX? What about the protocol I want to capture, what if i want to capture UDP and TCP? How would I set it up if i wanted all the data from my PIX to go the syslog-ng server?
Thank you, Andrew Meyer andrewm659@yahoo.com
--- Damien Michau <d.michau@ag.com> wrote:
> this is the server actual ip > ----- Original Message ----- > From: "Bill Nash" <billn@billn.net> > To: <syslog-ng@lists.balabit.hu>
=== message truncated ===> _______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan.
__________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/ _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Sorry, there must be some miscommunitcation, its just that I'm only seeing logs from one PIX come in, I figured it was many-to-one. --- Bill Nash <billn@bacchus.billn.net> wrote:
Ok, I'm getting the sense that there's some unfamiliarity with general syslog implementation architectures and methods, so a brief primer.
Most syslog setups are a many-to-one style setup. For a given array of servers, routers, firewalls, bananas and/or oranges, a single syslog host is designated as the collection point. Once that is done, all devices that syslog is to be collected from are then configured individually to send their logs to the collection point.
The syslog server itself, once configured, normally accepts any syslog traffic you send to it, from any host. Different requirements and networks may dictate otherwise, but this is generally the case.
Each individual device must be configured to send it's traffic to the syslog server. I am unaware of any platform that is capable of automatically determining where it's logging should go, and sending it along accordingly.
Each PIX, each router, switch, orange, and banana will need to have a directive in their configuration that identifies the syslog server, and the related information involved in sending it along.
- billn
On Tue, 3 Jan 2006, Andrew Meyer wrote:
I have multiple PIXs', do i have to have a entry for each one of them? If so how do i do this?
--- Bill Nash <billn@bacchus.billn.net> wrote:
Inside a syslog packet, facility and severity get munged together for transport, and separated at reception time. They
get
broken out like this:
(these are from /usr/include/sys/syslog.h, for reference)
Severity: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */
Facility: #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages #define LOG_FTP (11<<3) /* ftp daemon */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */
These are the basis for translating the numeric syslog levels to human readable terms.
Since your guy set to facility 16, you should be referencing 'local0'. Alex notes this in his email, but doesn't enumerate it as explicitly.
- billn
On Fri, 30 Dec 2005, Andrew Meyer wrote:
Our network guy changed ti to facility logging level 16 so should i change the local # to 16 correct?
--- "SOLIS, ALEX" <asolis@oppd.com> wrote:
If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method.
1. Setup your pix to send all its logs via a certain facility. For example local0. The pix command will look something like "logging facility 16". (note: Facilities have a corresponding ID in PIX IOS. Local0 starts at 16 and increments all the way to local7 which is 23.)
2. Setup the PIX to send its logs via UDP to the loghost server. Assuming Your loghost is on the inside of your PIX the command will look something like this: "logging host inside x.x.x.x". Be careful if you plan to use TCP for logging as the PIX will not allow communication between its interfaces if your syslog server fails!
3. Now modify the syslog-ng.conf file on you loghost with the appropriate destination, filter, and log statements. For example, to capture the PIX logs and send them to a private file we would have:
destination pix { file("/var/log/pix"); }; filter f_pix { facility(local0); }; log { source(src); filter(f_pix); destination(pix); };
restart syslog-ng and you should be in business. If you don't see enough information (or too much) play with the PIX's logging levels. There are 7 of them with 7 being the most verbose.
Hope that helps.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu
=== message truncated === I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan. __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
PIX's being what they are, I'd look into whether or not the PIX is permitting the syslog packets to actually leave the device, much less whether it's correctly configured to send. - billn On Tue, 3 Jan 2006, Andrew Meyer wrote:
Sorry, there must be some miscommunitcation, its just that I'm only seeing logs from one PIX come in, I figured it was many-to-one.
--- Bill Nash <billn@bacchus.billn.net> wrote:
Ok, I'm getting the sense that there's some unfamiliarity with general syslog implementation architectures and methods, so a brief primer.
Most syslog setups are a many-to-one style setup. For a given array of servers, routers, firewalls, bananas and/or oranges, a single syslog host is designated as the collection point. Once that is done, all devices that syslog is to be collected from are then configured individually to send their logs to the collection point.
The syslog server itself, once configured, normally accepts any syslog traffic you send to it, from any host. Different requirements and networks may dictate otherwise, but this is generally the case.
Each individual device must be configured to send it's traffic to the syslog server. I am unaware of any platform that is capable of automatically determining where it's logging should go, and sending it along accordingly.
Each PIX, each router, switch, orange, and banana will need to have a directive in their configuration that identifies the syslog server, and the related information involved in sending it along.
- billn
On Tue, 3 Jan 2006, Andrew Meyer wrote:
I have multiple PIXs', do i have to have a entry for each one of them? If so how do i do this?
--- Bill Nash <billn@bacchus.billn.net> wrote:
Inside a syslog packet, facility and severity get munged together for transport, and separated at reception time. They
get
broken out like this:
(these are from /usr/include/sys/syslog.h, for reference)
Severity: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */
Facility: #define LOG_KERN (0<<3) /* kernel messages */ #define LOG_USER (1<<3) /* random user-level messages */ #define LOG_MAIL (2<<3) /* mail system */ #define LOG_DAEMON (3<<3) /* system daemons */ #define LOG_AUTH (4<<3) /* security/authorization messages */ #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ #define LOG_LPR (6<<3) /* line printer subsystem */ #define LOG_NEWS (7<<3) /* network news subsystem */ #define LOG_UUCP (8<<3) /* UUCP subsystem */ #define LOG_CRON (9<<3) /* clock daemon */ #define LOG_AUTHPRIV (10<<3) /* security/authorization messages #define LOG_FTP (11<<3) /* ftp daemon */ /* other codes through 15 reserved for system use */ #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */
These are the basis for translating the numeric syslog levels to human readable terms.
Since your guy set to facility 16, you should be referencing 'local0'. Alex notes this in his email, but doesn't enumerate it as explicitly.
- billn
On Fri, 30 Dec 2005, Andrew Meyer wrote:
Our network guy changed ti to facility logging level 16 so should i change the local # to 16 correct?
--- "SOLIS, ALEX" <asolis@oppd.com> wrote:
If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method.
1. Setup your pix to send all its logs via a certain facility. For example local0. The pix command will look something like "logging facility 16". (note: Facilities have a corresponding ID in PIX IOS. Local0 starts at 16 and increments all the way to local7 which is 23.)
2. Setup the PIX to send its logs via UDP to the loghost server. Assuming Your loghost is on the inside of your PIX the command will look something like this: "logging host inside x.x.x.x". Be careful if you plan to use TCP for logging as the PIX will not allow communication between its interfaces if your syslog server fails!
3. Now modify the syslog-ng.conf file on you loghost with the appropriate destination, filter, and log statements. For example, to capture the PIX logs and send them to a private file we would have:
destination pix { file("/var/log/pix"); }; filter f_pix { facility(local0); }; log { source(src); filter(f_pix); destination(pix); };
restart syslog-ng and you should be in business. If you don't see enough information (or too much) play with the PIX's logging levels. There are 7 of them with 7 being the most verbose.
Hope that helps.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu
=== message truncated ===
I'm worth a million in prizes With my torture film Drive a GTO Wear a uniform On a government loan.
__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Tue, 03 Jan 2006 13:52:46 PST, Bill Nash said:
Each individual device must be configured to send it's traffic to the syslog server. I am unaware of any platform that is capable of automatically determining where it's logging should go, and sending it along accordingly.
For what it's worth, Solaris boxes have an interesting hack, where they basically route a copy of all syslog output to whatever 'loghost' resolves to. So all you do is create a CNAME tha aliases 'loghost.your.domain' to the name of your logserver, and you're done. ;)
Oh, that is sneaky, and so blaringly obvious of a hack as to be patentable. I bet it is. =) - billn On Tue, 3 Jan 2006, Valdis.Kletnieks@vt.edu wrote:
On Tue, 03 Jan 2006 13:52:46 PST, Bill Nash said:
Each individual device must be configured to send it's traffic to the syslog server. I am unaware of any platform that is capable of automatically determining where it's logging should go, and sending it along accordingly.
For what it's worth, Solaris boxes have an interesting hack, where they basically route a copy of all syslog output to whatever 'loghost' resolves to. So all you do is create a CNAME tha aliases 'loghost.your.domain' to the name of your logserver, and you're done. ;)
On Tue, 03 Jan 2006 15:13:36 PST, Bill Nash said:
Oh, that is sneaky, and so blaringly obvious of a hack as to be patentable. I bet it is. =)
It may have been patentable in the past. I know that Sun started using that trick starting *ages* ago (we're talking SunOS 3.1 and 3.2 days, so we're into the 20+ years arena here), so if it had been patented, the 17-year protection would have expired already... ;)
On Tue, Jan 03, 2006 at 03:13:36PM -0800, Bill Nash wrote:
Oh, that is sneaky, and so blaringly obvious of a hack as to be patentable. I bet it is. =)
They do the same thing for "mailhost" to route mail. Good idea. -- Nate "Bad Command or File Name. Good try, though." -Anon. "Press any key... no, no, no, NOT THAT ONE!" -Anon. "Enter any 11-digit prime number to continue..." -Anon.
Hi Though not syslog-ng specific I feel I have to comment: The loghost statement in Solaris isn't a hack, but lost art of mid 1980s BCPs (in the days that BSD was the "real" thing): Each server had the role name attached to the word host. So you got: loghost, mailhost, boothost, localhost (yes, localhost) etc ... In order to exploit the loghost statement in Solaris you need to change the /etc/hosts file on each solaris system because this where the loghost is defined (usually as an alias to localhost) and the name resolving is set to: "file dns" (in /etc/nsswitch.conf). Paolo --- Valdis.Kletnieks@vt.edu wrote:
On Tue, 03 Jan 2006 13:52:46 PST, Bill Nash said:
Each individual device must be configured to send it's traffic to the syslog server. I am unaware of any platform that is capable of automatically determining where it's logging should go, and sending it along accordingly.
For what it's worth, Solaris boxes have an interesting hack, where they basically route a copy of all syslog output to whatever 'loghost' resolves to. So all you do is create a CNAME tha aliases 'loghost.your.domain' to the name of your logserver, and you're done. ;)
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
participants (6)
-
Andrew Meyer
-
Bill Nash
-
Nate Campi
-
Paolo Supino
-
SOLIS, ALEX
-
Valdis.Kletnieks@vt.edu