[syslog-ng]Pix problem

Andrew Meyer andrewm659 at yahoo.com
Tue Jan 3 22:36:54 CET 2006 

I have multiple PIXs', do i have to have a entry for
each one of them?  If so how do i do this?

--- Bill Nash <billn at bacchus.billn.net> wrote:

> 
> Inside a syslog packet, facility and severity get
> munged together for 
> transport, and separated at reception time. They get
> broken out like this:
> 
> (these are from /usr/include/sys/syslog.h, for
> reference)
> 
> Severity:
> #define LOG_EMERG       0       /* system is
> unusable */
> #define LOG_ALERT       1       /* action must be
> taken immediately */
> #define LOG_CRIT        2       /* critical
> conditions */
> #define LOG_ERR         3       /* error conditions
> */
> #define LOG_WARNING     4       /* warning
> conditions */
> #define LOG_NOTICE      5       /* normal but
> significant condition */
> #define LOG_INFO        6       /* informational */
> #define LOG_DEBUG       7       /* debug-level
> messages */
> 
> Facility:
> #define LOG_KERN        (0<<3)  /* kernel messages
> */
> #define LOG_USER        (1<<3)  /* random user-level
> messages */
> #define LOG_MAIL        (2<<3)  /* mail system */
> #define LOG_DAEMON      (3<<3)  /* system daemons */
> #define LOG_AUTH        (4<<3)  /*
> security/authorization messages */
> #define LOG_SYSLOG      (5<<3)  /* messages
> generated internally by syslogd */
> #define LOG_LPR         (6<<3)  /* line printer
> subsystem */
> #define LOG_NEWS        (7<<3)  /* network news
> subsystem */
> #define LOG_UUCP        (8<<3)  /* UUCP subsystem */
> #define LOG_CRON        (9<<3)  /* clock daemon */
> #define LOG_AUTHPRIV    (10<<3) /*
> security/authorization messages 
> #define LOG_FTP         (11<<3) /* ftp daemon */
>    /* other codes through 15 reserved for system use
> */
> #define LOG_LOCAL0      (16<<3) /* reserved for
> local use */
> #define LOG_LOCAL1      (17<<3) /* reserved for
> local use */
> #define LOG_LOCAL2      (18<<3) /* reserved for
> local use */
> #define LOG_LOCAL3      (19<<3) /* reserved for
> local use */
> #define LOG_LOCAL4      (20<<3) /* reserved for
> local use */
> #define LOG_LOCAL5      (21<<3) /* reserved for
> local use */
> #define LOG_LOCAL6      (22<<3) /* reserved for
> local use */
> #define LOG_LOCAL7      (23<<3) /* reserved for
> local use */
> 
> These are the basis for translating the numeric
> syslog levels to human 
> readable terms.
> 
> Since your guy set to facility 16, you should be
> referencing 'local0'. 
> Alex notes this in his email, but doesn't enumerate
> it as explicitly.
> 
> - billn
> 
> On Fri, 30 Dec 2005, Andrew Meyer wrote:
> 
> > Our network guy changed ti to facility logging
> level
> > 16 so should i change the local # to 16 correct?
> >
> > --- "SOLIS, ALEX" <asolis at oppd.com> wrote:
> >
> >> If you don't have too many assets to log from, I
> >> found that filtering by facility proved an
> effective
> >> logging method.
> >>
> >>   1.	Setup your pix to send all its logs via a
> >> certain facility.  For	example local0.  The pix
> >> command will look something like
> >> 	"logging facility 16". (note:  Facilities have a
> >> corresponding ID in 	PIX IOS.  Local0 starts at
> 16
> >> and increments all the way to local7 	which is
> 23.)
> >>
> >>   2.	Setup the PIX to send its logs via UDP to
> the
> >> loghost server. Assuming
> >> 	Your loghost is on the inside of your PIX the
> >> command will look 	something like this: "logging
> >> host inside x.x.x.x".  Be careful if you 	plan to
> >> use TCP for logging as the PIX will not allow
> >> communication  	between its interfaces if your
> >> syslog server fails!
> >>
> >>   3.	Now modify the syslog-ng.conf file on you
> >> loghost with the appropriate 	destination,
> filter,
> >> and log statements.  For example, to capture the
> >> PIX logs and send them to a private file we would
> >> have:
> >>
> >> 	destination pix { file("/var/log/pix"); };
> >> 	filter f_pix { facility(local0); };
> >> 	log { source(src); filter(f_pix);
> destination(pix);
> >> };
> >>
> >> restart syslog-ng and you should be in business. 
> If
> >> you don't see enough information (or too much)
> play
> >> with the PIX's logging levels.  There are 7 of
> them
> >> with 7 being the most verbose.
> >>
> >> Hope that helps.
> >>
> >> Alex
> >>
> >>
> >> -----Original Message-----
> >> From: syslog-ng-bounces at lists.balabit.hu
> >> [mailto:syslog-ng-bounces at lists.balabit.hu] On
> >> Behalf Of Andrew Meyer
> >> Sent: Tuesday, December 27, 2005 9:55 PM
> >> To: Syslog-ng users' and developers' mailing list
> >> Subject: Re: [syslog-ng]Pix problem
> >>
> >> OK.....is there a way to log/define all 8 logging
> >> facilities in syslog-ng this is all new to me,
> and
> >> i'm
> >> following a debian tutorial.  So any other info
> you
> >> can give me would be awsome.
> >>
> >> Thank you,
> >> Andrew
> >>
> >> --- Asher Yanich <ayanic01 at cs.fiu.edu> wrote:
> >>
> >>> You will not want to setup TCP syslog from the
> >> PIX.
> >>> Even though the
> >>> PIX can connect and log via TCP to syslog, any
> >> error
> >>> will cause the
> >>> PIX to stop logging to syslog.
> >>>
> >>> Here are docs for setting up logging to syslog
> for
> >>> pix OS 7.0.  I
> >>> believe the syntaz is the same for 5.x and 6.x
> but
> >> a
> >>> quick google
> >>> search should provide you with what you need.
> >>>
> >>> -asher
> >>>
> >>>
> >>> On 12/27/05, Andrew Meyer <andrewm659 at yahoo.com>
> >>> wrote:
> >>>> How do I setup a PIX with syslog-ng?  what are
> >> the
> >>>> values I can use?  Do I need to specify the IP
> >>> addy of
> >>>> the PIX?  What about the protocol I want to
> >>> capture,
> >>>> what if i want to capture UDP and TCP?  How
> >> would
> >>> I
> >>>> set it up if i wanted all the data from my PIX
> >> to
> >>> go
> >>>> the syslog-ng server?
> >>>>
> >>>> Thank you,
> >>>> Andrew Meyer
> >>>> andrewm659 at yahoo.com
> >>>>
> >>>> --- Damien Michau <d.michau at ag.com> wrote:
> >>>>
> >>>>> this is the server actual ip
> >>>>> ----- Original Message -----
> >>>>> From: "Bill Nash" <billn at billn.net>
> >>>>> To: <syslog-ng at lists.balabit.hu>
> 
=== message truncated ===>
_______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> 
> 


I'm worth a million in prizes 
With my torture film 
Drive a GTO 
Wear a uniform 
On a government loan.


	
		
__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/

More information about the syslog-ng mailing list