[syslog-ng]Cisco Pix configuration
Ben Whittaker
syslog-ng@lists.balabit.hu
Wed, 9 Jun 2004 17:03:40 -0700 (PDT)
--0-349858647-1086825820=:27761
Content-Type: text/plain; charset=us-ascii
Still do not have it worked out.
Please help
Pix
logging on
logging timestamp
logging trap notifications
logging facility 4
logging queue 1024
logging host inside 10.1.1.18
test:/etc/syslog-ng # more syslog-ng.conf
#
# /etc/syslog-ng/syslog-ng.conf
#
# Automatically generated by SuSEconfig on Wed Jun 9 19:16:34 EDT 2004.
#
# PLEASE DO NOT EDIT THIS FILE!
#
# you can modify /etc/syslog-ng/syslog-ng.conf.in instead
#
#
# File format description can be found in syslog-ng.conf(5).
#
options { long_hostnames(off); sync(0); };
#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();
#
# the following line will be replaced by the
# socket list generated by SuSEconfig using
# variables from /etc/sysconfig/syslog:
#
unix-dgram("/dev/log");
#
# uncomment to process log messages from network:
#
#udp(ip("0.0.0.0") port(514));
};
#
# filter definitions
#
filter f_console { level(warn) and facility(kern) or
level(err) and not facility(authpriv);
};
filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_warn { level(warn, err, crit); };
filter f_alert { level(alert); };
filter f_messages { not facility(news, mail); };
filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
#
# print most on tty10 and on the xconsole pipe
#
destination console { file("/dev/tty10"); };
log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole"); };
log { source(src); filter(f_console); destination(xconsole); };
# enable this, if you want that root is informed
# immediately, e.g. of logins
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };
#
# these files are rotated and examined by "news.daily"
#
destination newscrit { file("/var/log/news/news.crit"); };
log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err"); };
log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice"); };
log { source(src); filter(f_newsnotice); destination(newserr); };
#
# enable this, if you want to keep all news messages
# in one file
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };
#
# all email-messages in one file
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };
#
# all cron-messages in one file
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };
#
# Some boot scripts require local7
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
#
# all messages except the facilities news and mail
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };
#
# enable this, if you want all iptables messages
# in one file
#
#destination firewall { file("/var/log/firewall"); };
#log { source(src); filter(f_iptables); destination(firewall); };
#
# Warnings in one file
#
destination warn { file("/var/log/warn"); };
log { source(src); filter(f_warn); destination(warn); };
#
# enable this, if you want to keep all messages in one file
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };
# PIX
source network { udp () ; tcp (); };
log{source(network);filter(f_pix);destination(pixlog);};
destination pixlog { file("/var/log/pix.log"); };
filter f_pix { facility(local4); };
test:/etc/syslog-ng #
Bill Nash <billn@billn.net> wrote:
What about your log directives?
log { source(network); destination(pixlog); flags(final); };
- billn
On Wed, 9 Jun 2004, Ben Whittaker wrote:
> Yes, Pix was logging to Kiwi
>
> Bill Nash wrote:
> Stupid question, but:
> Did you configure your PIX to export logs to your log server?
>
> If it behaves like IOS, it's something as simple as:
> logging
>
> - billn
>
> On Wed, 9 Jun 2004, Ben Whittaker wrote:
>
> > How do I setup syslog-ng for cisco pix.
> >
> > I have added the following lines to my config
> >
> > # PIX
> > source network { udp () ; tcp (); };
> >
> > destination pixlog { file("/var/log/pix.log"); };
> >
> > filter f_pix { facility(local4); };
> >
> >
> >
> > but I am not getting any logging to this new syslog server.
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Friends. Fun. Try the all-new Yahoo! Messenger.
> > http://messenger.yahoo.com/
> > _______________________________________________
> > syslog-ng maillist - syslog-ng@lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
---------------------------------
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger
--0-349858647-1086825820=:27761
Content-Type: text/html; charset=us-ascii
<DIV>Still do not have it worked out.</DIV>
<DIV> </DIV>
<DIV>Please help</DIV>
<DIV> </DIV>
<DIV>Pix</DIV>
<DIV> </DIV>
<DIV>logging on<BR>logging timestamp<BR>logging trap notifications<BR>logging facility 4<BR>logging queue 1024<BR>logging host inside 10.1.1.18<BR></DIV>
<DIV> </DIV>
<DIV><BR>test:/etc/syslog-ng # more syslog-ng.conf<BR>#<BR># /etc/syslog-ng/syslog-ng.conf<BR>#<BR># Automatically generated by SuSEconfig on Wed Jun 9 19:16:34 EDT 2004.<BR>#<BR># PLEASE DO NOT EDIT THIS FILE!<BR>#<BR># you can modify /etc/syslog-ng/syslog-ng.conf.in instead<BR>#<BR>#<BR># File format description can be found in syslog-ng.conf(5).<BR>#</DIV>
<DIV>options { long_hostnames(off); sync(0); };</DIV>
<DIV>#<BR># 'src' is our main source definition. you can add<BR># more sources driver definitions to it, or define<BR># your own sources, i.e.:<BR>#<BR>#source my_src { .... };</DIV>
<DIV>source src {<BR> #<BR> # include internal syslog-ng messages<BR> # note: the internal() soure is required!<BR> #<BR> internal();</DIV>
<DIV> #<BR> # the following line will be replaced by the<BR> # socket list generated by SuSEconfig using<BR> # variables from /etc/sysconfig/syslog:<BR> #<BR> unix-dgram("/dev/log");</DIV>
<DIV> #<BR> # uncomment to process log messages from network:<BR> #<BR> #udp(ip("0.0.0.0") port(514));<BR>};</DIV>
<DIV><BR>#<BR># filter definitions<BR>#<BR>filter f_console { level(warn) and facility(kern) or<BR> level(err) and not facility(authpriv);<BR> };<BR>filter f_newsnotice { level(notice) and facility(news); };<BR>filter f_newscrit { level(crit) and facility(news); };<BR>filter f_newserr { level(err) and facility(news); };<BR>filter f_news { facility(news); };<BR>filter f_mail { facility(mail); };<BR>filter f_cron { facility(cron); };<BR>filter f_warn { level(warn, err, crit); };<BR>filter f_alert {
level(alert); };<BR>filter f_messages { not facility(news, mail); };<BR>filter f_local { facility(local0, local1, local2, local3,<BR> local4, local5, local6, local7); };<BR>filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };</DIV>
<DIV><BR>#<BR># print most on tty10 and on the xconsole pipe<BR>#<BR>destination console { file("/dev/tty10"); };<BR>log { source(src); filter(f_console); destination(console); };</DIV>
<DIV>destination xconsole { pipe("/dev/xconsole"); };<BR>log { source(src); filter(f_console); destination(xconsole); };</DIV>
<DIV># enable this, if you want that root is informed<BR># immediately, e.g. of logins<BR>#destination root { usertty("root"); };<BR>#log { source(src); filter(f_alert); destination(root); };</DIV>
<DIV><BR>#<BR># these files are rotated and examined by "news.daily"<BR>#<BR>destination newscrit { file("/var/log/news/news.crit"); };<BR>log { source(src); filter(f_newscrit); destination(newscrit); };</DIV>
<DIV>destination newserr { file("/var/log/news/news.err"); };<BR>log { source(src); filter(f_newserr); destination(newserr); };</DIV>
<DIV>destination newsnotice { file("/var/log/news/news.notice"); };<BR>log { source(src); filter(f_newsnotice); destination(newserr); };</DIV>
<DIV>#<BR># enable this, if you want to keep all news messages<BR># in one file<BR>#destination news { file("/var/log/news.all"); };<BR>#log { source(src); filter(f_news); destination(news); };</DIV>
<DIV><BR>#<BR># all email-messages in one file<BR>#<BR>destination mail { file("/var/log/mail"); };<BR>log { source(src); filter(f_mail); destination(mail); };</DIV>
<DIV>#<BR># all cron-messages in one file<BR>#<BR>#destination cron { file("/var/log/cron"); };<BR>#log { source(src); filter(f_cron); destination(cron); };</DIV>
<DIV><BR>#<BR># Some boot scripts require local7<BR>#<BR>destination localmessages { file("/var/log/localmessages"); };<BR>log { source(src); filter(f_local); destination(localmessages); };</DIV>
<DIV><BR>#<BR># all messages except the facilities news and mail<BR>#<BR>destination messages { file("/var/log/messages"); };<BR>log { source(src); filter(f_messages); destination(messages); };</DIV>
<DIV><BR>#<BR># enable this, if you want all iptables messages<BR># in one file<BR>#<BR>#destination firewall { file("/var/log/firewall"); };<BR>#log { source(src); filter(f_iptables); destination(firewall); };</DIV>
<DIV><BR>#<BR># Warnings in one file<BR>#<BR>destination warn { file("/var/log/warn"); };<BR>log { source(src); filter(f_warn); destination(warn); };</DIV>
<DIV><BR>#<BR># enable this, if you want to keep all messages in one file<BR>#destination allmessages { file("/var/log/allmessages"); };<BR>#log { source(src); destination(allmessages); };</DIV>
<DIV># PIX<BR>source network { udp () ; tcp (); };</DIV>
<DIV>log{source(network);filter(f_pix);destination(pixlog);};</DIV>
<DIV><BR>destination pixlog { file("/var/log/pix.log"); };</DIV>
<DIV>filter f_pix { facility(local4); };<BR>test:/etc/syslog-ng #<BR><BR><BR><B><I>Bill Nash <billn@billn.net></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"><BR>What about your log directives?<BR><BR>log { source(network); destination(pixlog); flags(final); };<BR><BR>- billn<BR><BR><BR>On Wed, 9 Jun 2004, Ben Whittaker wrote:<BR><BR>> Yes, Pix was logging to Kiwi<BR>><BR>> Bill Nash <BILLN@BILLN.NET>wrote:<BR>> Stupid question, but:<BR>> Did you configure your PIX to export logs to your log server?<BR>><BR>> If it behaves like IOS, it's something as simple as:<BR>> logging<BR>><BR>> - billn<BR>><BR>> On Wed, 9 Jun 2004, Ben Whittaker wrote:<BR>><BR>> > How do I setup syslog-ng for cisco pix.<BR>> ><BR>> > I have added the following lines to my config<BR>> ><BR>> > # PIX<BR>> > source network { udp () ; tcp (); };<BR>> ><BR>> > destination pixlog { file("/var/log/pix.log"); };<BR>> ><BR>> > filter f_pix { facility(local4); };<BR>>
><BR><BR><BR>> ><BR>> ><BR>> > but I am not getting any logging to this new syslog server.<BR>> ><BR>> ><BR>> ><BR>> ><BR>> > __________________________________<BR>> > Do you Yahoo!?<BR>> > Friends. Fun. Try the all-new Yahoo! Messenger.<BR>> > http://messenger.yahoo.com/<BR>> > _______________________________________________<BR>> > syslog-ng maillist - syslog-ng@lists.balabit.hu<BR>> > https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<BR>> ><BR>><BR>> _______________________________________________<BR>> syslog-ng maillist - syslog-ng@lists.balabit.hu<BR>> https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<BR>><BR>><BR>><BR>> ---------------------------------<BR>> Do you Yahoo!?<BR>> Friends. Fun.
Try the all-new Yahoo! Messenger<BR><BR>_______________________________________________<BR>syslog-ng maillist - syslog-ng@lists.balabit.hu<BR>https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<BR></BLOCKQUOTE><p>
<hr size=1><font face=arial size=-1>Do you Yahoo!?<br>Friends. Fun. <a href="http://messenger.yahoo.com/">Try the all-new Yahoo! Messenger</a>
--0-349858647-1086825820=:27761--