From owner-freebsd-questions Thu Feb 14 10:42:34 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.inoc.net (mx1.inoc.net [64.246.131.30]) by hub.freebsd.org (Postfix) with ESMTP id C585937B43E for ; Thu, 14 Feb 2002 10:42:16 -0800 (PST) Received: from nimbus (unverified [10.0.0.111]) by mx1.inoc.net (Vircom SMTPRS 5.1.202) with ESMTP id ; Thu, 14 Feb 2002 13:42:15 -0500 Reply-To: From: "Robert Blayzor" To: "'Joseph Garcia'" , Subject: RE: PIX 515 (v4.4) Logging to a Syslog Server on FreeBSD (fwd) Date: Thu, 14 Feb 2002 13:42:15 -0500 Organization: INOC, LLC Message-ID: <012301c1b587$52e97ad0$6f00000a@z0.inoc.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 In-Reply-To: <20020214101508.U35855-100000@we-24-126-232-105.we.mediaone.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Joseph, I have some PIX 525's successfully logging here on my FreeBSD 4.5 staff boxes. From the PIX: logging on logging monitor errors logging buffered notifications logging trap errors logging facility 23 logging host inside 10.10.10.10 From my /etc/syslog.conf local7.* /nfs/logs/fw/inoc.pix # *.notice;kern.debug;lpr.info;mail.crit;news.err;local7.none /var/log/messages -- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net Linux is Luke. FreeBSD is Yoda. > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of > Joseph Garcia > Sent: Thursday, February 14, 2002 1:18 PM > To: questions@freebsd.org > Subject: PIX 515 (v4.4) Logging to a Syslog Server on FreeBSD (fwd) > > > > Hello all! > > I've been trying to accomplish two things here. First of all, is I'm > trying to learn the syntax and concepts of configuring a PIX > Firewall and > second, I'm trying to get it to log to a syslog server on a > FreeBSD box. > > This is a mostly educational exercise which I'd like to apply to the > production firewall. The production firewall is currently > being maintained > by outside sources. I have this extra PIX here that I'm testing the > configration on. > > I've successfully configured the FreeBSD box to accept syslog messages > from HP JetDirect print serves so I'm kinda confused as to > why it's not > accepting messages from the PIX. It might be that I'm not > configuring the > PIX correctly and I'm seeking some assistance. > > At this time I'm using "Cisco Secure PIX Firewalls" as my > guide in this > adventure. This so far has been the first book that I've found on > configuring PIX Firewalls. I've also printed out a bunch of > documentation > from Cisco concerning the PIX 515 which runs v4.4 of the PIX OS (this > isn't IOS is it?). Most of it is some basic stuff and a > command refrence. > > Well, I'd like to log time stamped messages to a syslog > server. I'm not > sure yet what level of information I should be logging or want to be > logging but I'm thinking that debbuing information would be overkill. > Although, I'm curious to see what kind of information level 4 > would give > me. > > So here's what I have in the configuration pertaining to logging. > > logging on > logging timestamp > no logging console > logging monitor emergencies > no logging buffered > logging trap warnings > logging facility 20 > logging queue 512 > logging host inside 192.168.0.42 > > when I do a show logging, I get this: > > Syslog logging: enabled > Timestamp logging: enabled > Console logging: disabled > Monitor logging: level emergencies, 0 messages logged > Buffer logging: disabled > Trap logging: level warnings, facility 20, 4126 messages logged > Logging to inside 192.168.0.42 > > To see if anything is actually going this machine I check tcpdump: > > # tcpdump host pix1 and udp > tcpdump: listening on tl0 > 17:31:30.588311 pix1.ircla.test.com.syslog > > bsd1.ircla.test.com.syslog: udp 119 > > Okay, so that tells me that that there's data going to the server. Now > let's check out my syslog.conf for it's contents. Mind you, > my /etc/hosts > file has an entry for the PIX Firewall. Here's the lines from my > syslog.conf file. > > # Log from Pix Firewall > +pix1 > *.* /var/log/pix > > I would assume this would log anything and everything no matter what > facility or whatever to the file /var/log/pix, but I could be wrong. I > configured that according to the syslog.conf man page. > > Yes, I have created /var/log/pix file. > -rw-r--r-- 1 root wheel 0 Feb 12 18:14 /var/log/pix > > But the problem is that /var/log/pix is empty. And I'm not > sure why. This > is where I'm stuck. Any ideas where I might have gone wrong. > Tcpdump is > telling me that there is data going to the BSD box, but for > some reason > it's not being logged. Oh, by the way syslogd is running as follows > > root 1538 0.0 0.6 964 704 ?? Ss 6:21PM 0:01.72 > /usr/sbin/syslogd > > Under FreeBSD if syslogd runs with the -s option it ignores syslog > messages from a different host. I have disabled the -s option. > > Okay, so I guess that's it. Not sure what other information I > have missed. > I'm still trying to understand how all these logging commands > are to be > glued together to make things work properly. Well, thanks in > advance for > all your help! > > Joseph Garcia > > PS I just noticed that the PIX syslog messages are showing up in > /var/log/messages but not in /var/log/pix. I'm confused as to > why. Here's > a sample of the messages. > > Feb 14 10:15:46 pix1.ircla.test.com %PIX-2-106007: Deny inbound UDP > from 198.6.1.2/53 to 192.168.0.158/1352 due to DNS Response > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message