[syslog-ng]Pix problem
Andrew Meyer
andrewm659 at yahoo.com
Tue Jan 3 23:12:58 CET 2006
Sorry, there must be some miscommunitcation, its just
that I'm only seeing logs from one PIX come in, I
figured it was many-to-one.
--- Bill Nash <billn at bacchus.billn.net> wrote:
>
> Ok, I'm getting the sense that there's some
> unfamiliarity with general
> syslog implementation architectures and methods, so
> a brief primer.
>
> Most syslog setups are a many-to-one style setup.
> For a given array of
> servers, routers, firewalls, bananas and/or oranges,
> a single syslog host
> is designated as the collection point. Once that is
> done, all devices that
> syslog is to be collected from are then configured
> individually to send
> their logs to the collection point.
>
> The syslog server itself, once configured, normally
> accepts any syslog
> traffic you send to it, from any host. Different
> requirements and networks
> may dictate otherwise, but this is generally the
> case.
>
> Each individual device must be configured to send
> it's traffic to the
> syslog server. I am unaware of any platform that is
> capable of
> automatically determining where it's logging should
> go, and sending it
> along accordingly.
>
> Each PIX, each router, switch, orange, and banana
> will need to have a
> directive in their configuration that identifies the
> syslog server, and
> the related information involved in sending it
> along.
>
> - billn
>
> On Tue, 3 Jan 2006, Andrew Meyer wrote:
>
> > I have multiple PIXs', do i have to have a entry
> for
> > each one of them? If so how do i do this?
> >
> > --- Bill Nash <billn at bacchus.billn.net> wrote:
> >
> >>
> >> Inside a syslog packet, facility and severity get
> >> munged together for
> >> transport, and separated at reception time. They
> get
> >> broken out like this:
> >>
> >> (these are from /usr/include/sys/syslog.h, for
> >> reference)
> >>
> >> Severity:
> >> #define LOG_EMERG 0 /* system is
> >> unusable */
> >> #define LOG_ALERT 1 /* action must be
> >> taken immediately */
> >> #define LOG_CRIT 2 /* critical
> >> conditions */
> >> #define LOG_ERR 3 /* error
> conditions
> >> */
> >> #define LOG_WARNING 4 /* warning
> >> conditions */
> >> #define LOG_NOTICE 5 /* normal but
> >> significant condition */
> >> #define LOG_INFO 6 /* informational
> */
> >> #define LOG_DEBUG 7 /* debug-level
> >> messages */
> >>
> >> Facility:
> >> #define LOG_KERN (0<<3) /* kernel
> messages
> >> */
> >> #define LOG_USER (1<<3) /* random
> user-level
> >> messages */
> >> #define LOG_MAIL (2<<3) /* mail system */
> >> #define LOG_DAEMON (3<<3) /* system daemons
> */
> >> #define LOG_AUTH (4<<3) /*
> >> security/authorization messages */
> >> #define LOG_SYSLOG (5<<3) /* messages
> >> generated internally by syslogd */
> >> #define LOG_LPR (6<<3) /* line printer
> >> subsystem */
> >> #define LOG_NEWS (7<<3) /* network news
> >> subsystem */
> >> #define LOG_UUCP (8<<3) /* UUCP subsystem
> */
> >> #define LOG_CRON (9<<3) /* clock daemon
> */
> >> #define LOG_AUTHPRIV (10<<3) /*
> >> security/authorization messages
> >> #define LOG_FTP (11<<3) /* ftp daemon */
> >> /* other codes through 15 reserved for system
> use
> >> */
> >> #define LOG_LOCAL0 (16<<3) /* reserved for
> >> local use */
> >> #define LOG_LOCAL1 (17<<3) /* reserved for
> >> local use */
> >> #define LOG_LOCAL2 (18<<3) /* reserved for
> >> local use */
> >> #define LOG_LOCAL3 (19<<3) /* reserved for
> >> local use */
> >> #define LOG_LOCAL4 (20<<3) /* reserved for
> >> local use */
> >> #define LOG_LOCAL5 (21<<3) /* reserved for
> >> local use */
> >> #define LOG_LOCAL6 (22<<3) /* reserved for
> >> local use */
> >> #define LOG_LOCAL7 (23<<3) /* reserved for
> >> local use */
> >>
> >> These are the basis for translating the numeric
> >> syslog levels to human
> >> readable terms.
> >>
> >> Since your guy set to facility 16, you should be
> >> referencing 'local0'.
> >> Alex notes this in his email, but doesn't
> enumerate
> >> it as explicitly.
> >>
> >> - billn
> >>
> >> On Fri, 30 Dec 2005, Andrew Meyer wrote:
> >>
> >>> Our network guy changed ti to facility logging
> >> level
> >>> 16 so should i change the local # to 16 correct?
> >>>
> >>> --- "SOLIS, ALEX" <asolis at oppd.com> wrote:
> >>>
> >>>> If you don't have too many assets to log from,
> I
> >>>> found that filtering by facility proved an
> >> effective
> >>>> logging method.
> >>>>
> >>>> 1. Setup your pix to send all its logs via a
> >>>> certain facility. For example local0. The pix
> >>>> command will look something like
> >>>> "logging facility 16". (note: Facilities have
> a
> >>>> corresponding ID in PIX IOS. Local0 starts at
> >> 16
> >>>> and increments all the way to local7 which is
> >> 23.)
> >>>>
> >>>> 2. Setup the PIX to send its logs via UDP to
> >> the
> >>>> loghost server. Assuming
> >>>> Your loghost is on the inside of your PIX the
> >>>> command will look something like this:
> "logging
> >>>> host inside x.x.x.x". Be careful if you plan
> to
> >>>> use TCP for logging as the PIX will not allow
> >>>> communication between its interfaces if your
> >>>> syslog server fails!
> >>>>
> >>>> 3. Now modify the syslog-ng.conf file on you
> >>>> loghost with the appropriate destination,
> >> filter,
> >>>> and log statements. For example, to capture
> the
> >>>> PIX logs and send them to a private file we
> would
> >>>> have:
> >>>>
> >>>> destination pix { file("/var/log/pix"); };
> >>>> filter f_pix { facility(local0); };
> >>>> log { source(src); filter(f_pix);
> >> destination(pix);
> >>>> };
> >>>>
> >>>> restart syslog-ng and you should be in
> business.
> >> If
> >>>> you don't see enough information (or too much)
> >> play
> >>>> with the PIX's logging levels. There are 7 of
> >> them
> >>>> with 7 being the most verbose.
> >>>>
> >>>> Hope that helps.
> >>>>
> >>>> Alex
> >>>>
> >>>>
> >>>> -----Original Message-----
> >>>> From: syslog-ng-bounces at lists.balabit.hu
>
=== message truncated ===
I'm worth a million in prizes
With my torture film
Drive a GTO
Wear a uniform
On a government loan.
__________________________________________
Yahoo! DSL – Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com
More information about the syslog-ng
mailing list