[syslog-ng]Pix problem

Wed Dec 28 14:54:52 CET 2005

If you don't have too many assets to log from, I found that filtering by facility proved an effective logging method.

  1.	Setup your pix to send all its logs via a certain facility.  For	example local0.  The pix command will look something like 
	"logging facility 16". (note:  Facilities have a corresponding ID in 	PIX IOS.  Local0 starts at 16 and increments all the way to local7 	which is 23.)

  2.	Setup the PIX to send its logs via UDP to the loghost server. Assuming
	Your loghost is on the inside of your PIX the command will look 	something like this: "logging host inside x.x.x.x".  Be careful if you 	plan to use TCP for logging as the PIX will not allow communication  	between its interfaces if your syslog server fails!

  3.	Now modify the syslog-ng.conf file on you loghost with the appropriate 	destination, filter, and log statements.  For example, to capture the 	PIX logs and send them to a private file we would have:

	destination pix { file("/var/log/pix"); };
	filter f_pix { facility(local0); };
	log { source(src); filter(f_pix); destination(pix); };

restart syslog-ng and you should be in business.  If you don't see enough information (or too much) play with the PIX's logging levels.  There are 7 of them with 7 being the most verbose.

Hope that helps.

Alex

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Andrew Meyer
Sent: Tuesday, December 27, 2005 9:55 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng]Pix problem

OK.....is there a way to log/define all 8 logging
facilities in syslog-ng this is all new to me, and i'm
following a debian tutorial.  So any other info you
can give me would be awsome.

Thank you,
Andrew

--- Asher Yanich <ayanic01 at cs.fiu.edu> wrote:

> You will not want to setup TCP syslog from the PIX. 
> Even though the
> PIX can connect and log via TCP to syslog, any error
> will cause the
> PIX to stop logging to syslog.
> 
> Here are docs for setting up logging to syslog for
> pix OS 7.0.  I
> believe the syntaz is the same for 5.x and 6.x but a
> quick google
> search should provide you with what you need.
> 
> -asher
> 
> 
> On 12/27/05, Andrew Meyer <andrewm659 at yahoo.com>
> wrote:
> > How do I setup a PIX with syslog-ng?  what are the
> > values I can use?  Do I need to specify the IP
> addy of
> > the PIX?  What about the protocol I want to
> capture,
> > what if i want to capture UDP and TCP?  How would
> I
> > set it up if i wanted all the data from my PIX to
> go
> > the syslog-ng server?
> >
> > Thank you,
> > Andrew Meyer
> > andrewm659 at yahoo.com
> >
> > --- Damien Michau <d.michau at ag.com> wrote:
> >
> > > this is the server actual ip
> > > ----- Original Message -----
> > > From: "Bill Nash" <billn at billn.net>
> > > To: <syslog-ng at lists.balabit.hu>
> > > Sent: Tuesday, May 10, 2005 7:20 PM
> > > Subject: Re: [syslog-ng]Pix problem
> > >
> > >
> > > > On Tue, 10 May 2005, Damien Michau wrote:
> > > >
> > > >> Hi All !
> > > >> I have some probleme ta log my pix's log into
> my
> > > syslog-ng server .
> > > >> i have mounted a Syslog-ng server to store my
> > > pix's log . But there is
> > > >> nothing in my pix.log
> > > >> i'have put this lines in my syslog-ng.conf
> > > >>
> > > >>
> > > >> source pix { udp(ip(10.60.10.111) port());};
> > > >> destination pix      {
> file("/var/log/pix.log");
> > > };
> > > >> log { source(pix);destination(pix); };
> > > >>
> > > >
> > > > Your source declaration shouldn't be the IP of
> > > your pix, it should be the
> > > > IP on your syslog server you wish your udp
> socket
> > > to listen on. In most
> > > > cases, this should just be 0.0.0.0 or your
> servers
> > > actual IP.
> > > >
> > > > - billn
> > > >
> _______________________________________________
> > > > syslog-ng maillist  - 
> syslog-ng at lists.balabit.hu
> > > >
> > >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > > Frequently asked questions at
> > > http://www.campin.net/syslog-ng/faq.html
> > > >
> > > >
> > > >
> > >
> > >
> > > _______________________________________________
> > > syslog-ng maillist  - 
> syslog-ng at lists.balabit.hu
> > >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Frequently asked questions at
> > > http://www.campin.net/syslog-ng/faq.html
> > >
> > >
> >
> >
> > I'm worth a million in prizes
> > With my torture film
> > Drive a GTO
> > Wear a uniform
> > On a government loan.
> >
> >
> >
> > __________________________________________
> > Yahoo! DSL ï¿½ Something to write home about.
> > Just $16.99/mo. or less.
> > dsl.yahoo.com
> >
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> >
> >
> > _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> 
> 

I'm worth a million in prizes 
With my torture film 
Drive a GTO 
Wear a uniform 
On a government loan.

__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/
_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

<p class=MsoNormal><span style='font-size:8.5pt'>This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient.  Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance.  If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.</p>