From owner-freebsd-questions  Thu Feb 14 10:19: 1 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from we-24-126-232-105.we.mediaone.net (we-24-126-232-105.we.mediaone.net [24.126.232.105])
	by hub.freebsd.org (Postfix) with ESMTP id 32D8C37B425
	for <questions@freebsd.org>; Thu, 14 Feb 2002 10:18:22 -0800 (PST)
Received: from unix.homeip.net (someone@unix.homeip.net [24.126.232.105])
	by we-24-126-232-105.we.mediaone.net (8.11.6/8.11.6) with ESMTP id g1EIIO780178
	for <questions@freebsd.org>; Thu, 14 Feb 2002 10:18:24 -0800 (PST)
	(envelope-from bear@unix.homeip.net)
Date: Thu, 14 Feb 2002 10:18:24 -0800 (PST)
From: Joseph Garcia <bear@unix.homeip.net>
X-X-Sender: bear@we-24-126-232-105.we.mediaone.net
To: questions@freebsd.org
Subject: PIX 515 (v4.4) Logging to a Syslog Server on FreeBSD (fwd)
Message-ID: <20020214101508.U35855-100000@we-24-126-232-105.we.mediaone.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


Hello all!

I've been trying to accomplish two things here. First of all, is I'm
trying to learn the syntax and concepts of configuring a PIX Firewall and
second, I'm trying to get it to log to a syslog server on a FreeBSD box.

This is a mostly educational exercise which I'd like to apply to the
production firewall. The production firewall is currently being maintained
by outside sources. I have this extra PIX here that I'm testing the
configration on.

I've successfully configured the FreeBSD box to accept syslog messages
from HP JetDirect print serves so I'm kinda confused as to why it's not
accepting messages from the PIX. It might be that I'm not configuring the
PIX correctly and I'm seeking some assistance.

At this time I'm using "Cisco Secure PIX Firewalls" as my guide in this
adventure. This so far has been the first book that I've found on
configuring PIX Firewalls. I've also printed out a bunch of documentation
from Cisco concerning the PIX 515 which runs v4.4 of the PIX OS (this
isn't IOS is it?). Most of it is some basic stuff and a command refrence.

Well, I'd like to log time stamped messages to a syslog server. I'm not
sure yet what level of information I should be logging or want to be
logging but I'm thinking that debbuing information would be overkill.
Although, I'm curious to see what kind of information level 4 would give
me.

So here's what I have in the configuration pertaining to logging.

logging on
logging timestamp
no logging console
logging monitor emergencies
no logging buffered
logging trap warnings
logging facility 20
logging queue 512
logging host inside 192.168.0.42

when I do a show logging, I get this:

Syslog logging: enabled
    Timestamp logging: enabled
    Console logging: disabled
    Monitor logging: level emergencies, 0 messages logged
    Buffer logging: disabled
    Trap logging: level warnings, facility 20, 4126 messages logged
        Logging to inside 192.168.0.42

To see if anything is actually going this machine I check tcpdump:

# tcpdump host pix1 and udp
tcpdump: listening on tl0
17:31:30.588311 pix1.ircla.test.com.syslog >
bsd1.ircla.test.com.syslog:  udp 119

Okay, so that tells me that that there's data going to the server. Now
let's check out my syslog.conf for it's contents. Mind you, my /etc/hosts
file has an entry for the PIX Firewall. Here's the lines from my
syslog.conf file.

# Log from Pix Firewall
+pix1
*.*                                             /var/log/pix

I would assume this would log anything and everything no matter what
facility or whatever to the file /var/log/pix, but I could be wrong. I
configured that according to the syslog.conf man page.

Yes, I have created /var/log/pix file.
-rw-r--r--  1 root  wheel  0 Feb 12 18:14 /var/log/pix

But the problem is that /var/log/pix is empty. And I'm not sure why. This
is where I'm stuck. Any ideas where I might have gone wrong. Tcpdump is
telling me that there is data going to the BSD box, but for some reason
it's not being logged. Oh, by the way syslogd is running as follows

root  1538  0.0  0.6   964  704  ??  Ss    6:21PM   0:01.72
/usr/sbin/syslogd

Under FreeBSD if syslogd runs with the -s option it ignores syslog
messages from a different host. I have disabled the -s option.

Okay, so I guess that's it. Not sure what other information I have missed.
I'm still trying to understand how all these logging commands are to be
glued together to make things work properly. Well, thanks in advance for
all your help!

Joseph Garcia

PS I just noticed that the PIX syslog messages are showing up in
/var/log/messages but not in /var/log/pix. I'm confused as to why. Here's
a sample of the messages.

Feb 14 10:15:46 pix1.ircla.test.com %PIX-2-106007: Deny inbound UDP
from 198.6.1.2/53 to 192.168.0.158/1352 due to DNS Response


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message