[syslog-ng]Pix problem
Bill Nash
billn at bacchus.billn.net
Fri Dec 30 18:56:55 CET 2005
Inside a syslog packet, facility and severity get munged together for
transport, and separated at reception time. They get broken out like this:
(these are from /usr/include/sys/syslog.h, for reference)
Severity:
#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */
Facility:
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* network news subsystem */
#define LOG_UUCP (8<<3) /* UUCP subsystem */
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
#define LOG_FTP (11<<3) /* ftp daemon */
/* other codes through 15 reserved for system use */
#define LOG_LOCAL0 (16<<3) /* reserved for local use */
#define LOG_LOCAL1 (17<<3) /* reserved for local use */
#define LOG_LOCAL2 (18<<3) /* reserved for local use */
#define LOG_LOCAL3 (19<<3) /* reserved for local use */
#define LOG_LOCAL4 (20<<3) /* reserved for local use */
#define LOG_LOCAL5 (21<<3) /* reserved for local use */
#define LOG_LOCAL6 (22<<3) /* reserved for local use */
#define LOG_LOCAL7 (23<<3) /* reserved for local use */
These are the basis for translating the numeric syslog levels to human
readable terms.
Since your guy set to facility 16, you should be referencing 'local0'.
Alex notes this in his email, but doesn't enumerate it as explicitly.
- billn
On Fri, 30 Dec 2005, Andrew Meyer wrote:
> Our network guy changed ti to facility logging level
> 16 so should i change the local # to 16 correct?
>
> --- "SOLIS, ALEX" <asolis at oppd.com> wrote:
>
>> If you don't have too many assets to log from, I
>> found that filtering by facility proved an effective
>> logging method.
>>
>> 1. Setup your pix to send all its logs via a
>> certain facility. For example local0. The pix
>> command will look something like
>> "logging facility 16". (note: Facilities have a
>> corresponding ID in PIX IOS. Local0 starts at 16
>> and increments all the way to local7 which is 23.)
>>
>> 2. Setup the PIX to send its logs via UDP to the
>> loghost server. Assuming
>> Your loghost is on the inside of your PIX the
>> command will look something like this: "logging
>> host inside x.x.x.x". Be careful if you plan to
>> use TCP for logging as the PIX will not allow
>> communication between its interfaces if your
>> syslog server fails!
>>
>> 3. Now modify the syslog-ng.conf file on you
>> loghost with the appropriate destination, filter,
>> and log statements. For example, to capture the
>> PIX logs and send them to a private file we would
>> have:
>>
>> destination pix { file("/var/log/pix"); };
>> filter f_pix { facility(local0); };
>> log { source(src); filter(f_pix); destination(pix);
>> };
>>
>> restart syslog-ng and you should be in business. If
>> you don't see enough information (or too much) play
>> with the PIX's logging levels. There are 7 of them
>> with 7 being the most verbose.
>>
>> Hope that helps.
>>
>> Alex
>>
>>
>> -----Original Message-----
>> From: syslog-ng-bounces at lists.balabit.hu
>> [mailto:syslog-ng-bounces at lists.balabit.hu] On
>> Behalf Of Andrew Meyer
>> Sent: Tuesday, December 27, 2005 9:55 PM
>> To: Syslog-ng users' and developers' mailing list
>> Subject: Re: [syslog-ng]Pix problem
>>
>> OK.....is there a way to log/define all 8 logging
>> facilities in syslog-ng this is all new to me, and
>> i'm
>> following a debian tutorial. So any other info you
>> can give me would be awsome.
>>
>> Thank you,
>> Andrew
>>
>> --- Asher Yanich <ayanic01 at cs.fiu.edu> wrote:
>>
>>> You will not want to setup TCP syslog from the
>> PIX.
>>> Even though the
>>> PIX can connect and log via TCP to syslog, any
>> error
>>> will cause the
>>> PIX to stop logging to syslog.
>>>
>>> Here are docs for setting up logging to syslog for
>>> pix OS 7.0. I
>>> believe the syntaz is the same for 5.x and 6.x but
>> a
>>> quick google
>>> search should provide you with what you need.
>>>
>>> -asher
>>>
>>>
>>> On 12/27/05, Andrew Meyer <andrewm659 at yahoo.com>
>>> wrote:
>>>> How do I setup a PIX with syslog-ng? what are
>> the
>>>> values I can use? Do I need to specify the IP
>>> addy of
>>>> the PIX? What about the protocol I want to
>>> capture,
>>>> what if i want to capture UDP and TCP? How
>> would
>>> I
>>>> set it up if i wanted all the data from my PIX
>> to
>>> go
>>>> the syslog-ng server?
>>>>
>>>> Thank you,
>>>> Andrew Meyer
>>>> andrewm659 at yahoo.com
>>>>
>>>> --- Damien Michau <d.michau at ag.com> wrote:
>>>>
>>>>> this is the server actual ip
>>>>> ----- Original Message -----
>>>>> From: "Bill Nash" <billn at billn.net>
>>>>> To: <syslog-ng at lists.balabit.hu>
>>>>> Sent: Tuesday, May 10, 2005 7:20 PM
>>>>> Subject: Re: [syslog-ng]Pix problem
>>>>>
>>>>>
>>>>>> On Tue, 10 May 2005, Damien Michau wrote:
>>>>>>
>>>>>>> Hi All !
>>>>>>> I have some probleme ta log my pix's log
>> into
>>> my
>>>>> syslog-ng server .
>>>>>>> i have mounted a Syslog-ng server to store
>> my
>>>>> pix's log . But there is
>>>>>>> nothing in my pix.log
>>>>>>> i'have put this lines in my syslog-ng.conf
>>>>>>>
>>>>>>>
>>>>>>> source pix { udp(ip(10.60.10.111)
>> port());};
>>>>>>> destination pix {
>>> file("/var/log/pix.log");
>>>>> };
>>>>>>> log { source(pix);destination(pix); };
>>>>>>>
>>>>>>
>>>>>> Your source declaration shouldn't be the IP
>> of
>>>>> your pix, it should be the
>>>>>> IP on your syslog server you wish your udp
>>> socket
>>>>> to listen on. In most
>>>>>> cases, this should just be 0.0.0.0 or your
>>> servers
>>>>> actual IP.
>>>>>>
>>>>>> - billn
>>>>>>
>>> _______________________________________________
>>>>>> syslog-ng maillist -
>>> syslog-ng at lists.balabit.hu
>>>>>>
>>>>>
>>>
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Frequently asked questions at
>>>>> http://www.campin.net/syslog-ng/faq.html
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>> _______________________________________________
>>>>> syslog-ng maillist -
>>> syslog-ng at lists.balabit.hu
>>>>>
>>>
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Frequently asked questions at
>>>>> http://www.campin.net/syslog-ng/faq.html
>>>>>
>>>>>
>>>>
>>>>
>>>> I'm worth a million in prizes
>>>> With my torture film
>>>> Drive a GTO
>>>> Wear a uniform
>>>> On a government loan.
>>>>
>>>>
>>>>
>>>> __________________________________________
>>>> Yahoo! DSL � Something to write home about.
>>>> Just $16.99/mo. or less.
>>>> dsl.yahoo.com
>>>>
>>>> _______________________________________________
>>>> syslog-ng maillist -
>> syslog-ng at lists.balabit.hu
>>>>
>>>
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Frequently asked questions at
>>> http://www.campin.net/syslog-ng/faq.html
>>>>
>>>>
>>>> _______________________________________________
>>> syslog-ng maillist - syslog-ng at lists.balabit.hu
>>>
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Frequently asked questions at
>>> http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>
>>
> === message truncated ===
>
>
> I'm worth a million in prizes
> With my torture film
> Drive a GTO
> Wear a uniform
> On a government loan.
>
>
>
>
> __________________________________
> Yahoo! for Good - Make a difference this year.
> http://brand.yahoo.com/cybergivingweek2005/
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
More information about the syslog-ng
mailing list