[syslog-ng]Pix problem

Fri Dec 30 18:38:16 CET 2005

Our network guy changed ti to facility logging level
16 so should i change the local # to 16 correct?

--- "SOLIS, ALEX" <asolis at oppd.com> wrote:

> If you don't have too many assets to log from, I
> found that filtering by facility proved an effective
> logging method.
> 
>   1.	Setup your pix to send all its logs via a
> certain facility.  For	example local0.  The pix
> command will look something like 
> 	"logging facility 16". (note:  Facilities have a
> corresponding ID in 	PIX IOS.  Local0 starts at 16
> and increments all the way to local7 	which is 23.)
> 
>   2.	Setup the PIX to send its logs via UDP to the
> loghost server. Assuming
> 	Your loghost is on the inside of your PIX the
> command will look 	something like this: "logging
> host inside x.x.x.x".  Be careful if you 	plan to
> use TCP for logging as the PIX will not allow
> communication  	between its interfaces if your
> syslog server fails!
> 
>   3.	Now modify the syslog-ng.conf file on you
> loghost with the appropriate 	destination, filter,
> and log statements.  For example, to capture the 
> PIX logs and send them to a private file we would
> have:
> 
> 	destination pix { file("/var/log/pix"); };
> 	filter f_pix { facility(local0); };
> 	log { source(src); filter(f_pix); destination(pix);
> };
> 
> restart syslog-ng and you should be in business.  If
> you don't see enough information (or too much) play
> with the PIX's logging levels.  There are 7 of them
> with 7 being the most verbose.
> 
> Hope that helps.
> 
> Alex
> 
> 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On
> Behalf Of Andrew Meyer
> Sent: Tuesday, December 27, 2005 9:55 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng]Pix problem
> 
> OK.....is there a way to log/define all 8 logging
> facilities in syslog-ng this is all new to me, and
> i'm
> following a debian tutorial.  So any other info you
> can give me would be awsome.
> 
> Thank you,
> Andrew
> 
> --- Asher Yanich <ayanic01 at cs.fiu.edu> wrote:
> 
> > You will not want to setup TCP syslog from the
> PIX. 
> > Even though the
> > PIX can connect and log via TCP to syslog, any
> error
> > will cause the
> > PIX to stop logging to syslog.
> > 
> > Here are docs for setting up logging to syslog for
> > pix OS 7.0.  I
> > believe the syntaz is the same for 5.x and 6.x but
> a
> > quick google
> > search should provide you with what you need.
> > 
> > -asher
> > 
> > 
> > On 12/27/05, Andrew Meyer <andrewm659 at yahoo.com>
> > wrote:
> > > How do I setup a PIX with syslog-ng?  what are
> the
> > > values I can use?  Do I need to specify the IP
> > addy of
> > > the PIX?  What about the protocol I want to
> > capture,
> > > what if i want to capture UDP and TCP?  How
> would
> > I
> > > set it up if i wanted all the data from my PIX
> to
> > go
> > > the syslog-ng server?
> > >
> > > Thank you,
> > > Andrew Meyer
> > > andrewm659 at yahoo.com
> > >
> > > --- Damien Michau <d.michau at ag.com> wrote:
> > >
> > > > this is the server actual ip
> > > > ----- Original Message -----
> > > > From: "Bill Nash" <billn at billn.net>
> > > > To: <syslog-ng at lists.balabit.hu>
> > > > Sent: Tuesday, May 10, 2005 7:20 PM
> > > > Subject: Re: [syslog-ng]Pix problem
> > > >
> > > >
> > > > > On Tue, 10 May 2005, Damien Michau wrote:
> > > > >
> > > > >> Hi All !
> > > > >> I have some probleme ta log my pix's log
> into
> > my
> > > > syslog-ng server .
> > > > >> i have mounted a Syslog-ng server to store
> my
> > > > pix's log . But there is
> > > > >> nothing in my pix.log
> > > > >> i'have put this lines in my syslog-ng.conf
> > > > >>
> > > > >>
> > > > >> source pix { udp(ip(10.60.10.111)
> port());};
> > > > >> destination pix      {
> > file("/var/log/pix.log");
> > > > };
> > > > >> log { source(pix);destination(pix); };
> > > > >>
> > > > >
> > > > > Your source declaration shouldn't be the IP
> of
> > > > your pix, it should be the
> > > > > IP on your syslog server you wish your udp
> > socket
> > > > to listen on. In most
> > > > > cases, this should just be 0.0.0.0 or your
> > servers
> > > > actual IP.
> > > > >
> > > > > - billn
> > > > >
> > _______________________________________________
> > > > > syslog-ng maillist  - 
> > syslog-ng at lists.balabit.hu
> > > > >
> > > >
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > > > Frequently asked questions at
> > > > http://www.campin.net/syslog-ng/faq.html
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> _______________________________________________
> > > > syslog-ng maillist  - 
> > syslog-ng at lists.balabit.hu
> > > >
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > > Frequently asked questions at
> > > > http://www.campin.net/syslog-ng/faq.html
> > > >
> > > >
> > >
> > >
> > > I'm worth a million in prizes
> > > With my torture film
> > > Drive a GTO
> > > Wear a uniform
> > > On a government loan.
> > >
> > >
> > >
> > > __________________________________________
> > > Yahoo! DSL ï¿½ Something to write home about.
> > > Just $16.99/mo. or less.
> > > dsl.yahoo.com
> > >
> > > _______________________________________________
> > > syslog-ng maillist  - 
> syslog-ng at lists.balabit.hu
> > >
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Frequently asked questions at
> > http://www.campin.net/syslog-ng/faq.html
> > >
> > >
> > > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> >
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at
> > http://www.campin.net/syslog-ng/faq.html
> > 
> > 
> 
> 
=== message truncated ===

I'm worth a million in prizes 
With my torture film 
Drive a GTO 
Wear a uniform 
On a government loan.

__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/