Firewall Wizards mailing list archives
RE: pix 501 logging question
From: "Paul Melson" <psmelson () comcast net>
Date: Mon, 7 Mar 2005 11:32:56 -0500
Nate,
From what I can see, you have your access-list configured correctly. What
do your logging commands look like? What version of PIX OS are you running? The only thing I can think of off the top of my head is that you're not seeing messages because the default interval (300s) is longer than you anticipate. You could modify that line of your config to use a smaller interval and see if it makes a difference: access-list inbound deny ip any any log 4 interval 10 Then your flows for that line would only last for 10s (but who cares since it's a deny, right?), which would lead to more syslog data from persistent dropped traffic, but make dropped traffic more 'visible.' Also, the default log level for access-list logging is 6, but if you can see one you should see them all, so I doubt that's an issue. You don't need to force the PIX to log these denials, though. Packets that are blocked by access-list are logged by default. If you're using 'no logging message' and then turning specific messages back on as a way of filtering syslog data, then you will need to issue 'logging message 106023 level 4' (or whatever level is being sent to your syslog server) to see these messages. If you're filtering at the syslog server, then you're probably getting these messages and will need to adjust your parsing as appropriate to see them. I recommend sticking with the default PIX syslog ID in your messages, especially if they may end up going through a log analyzer like Sawmill or eIQ. Many of these programs (even some of the free Perl scripts) rely on the message number to determine what kind of activity they're looking at. Since 106100 is a generic syslog ID that corresponds to the 'access-list log' command, your data would probably be off as a result. PaulM -----Original Message----- Subject: [fw-wiz] pix 501 logging question Wizards, I need some clarification on logging via syslog with a PIX-501 running 6.3.(3). I have an ACL called "inbound" bound to the outside interface. When I append the following rule to "inbound", for some reason unsolicited traffic isn't logged: access-list inbound deny ip any any log 4 The other elements which permit traffic seem to work as advertised. For example, I have this rule to permit access to my mail servers: access-list inbound permit tcp any object-group mx_hosts eq smtp log 4 and connections are logged to syslog that look like this: Mar 2 12:47:14 192.xxx.xxx.xxx Mar 02 2005 12:47:14: %PIX-4-106100: access-list inbound permitted tcp outside/205.206.xxx.xxx(27652) -> inside/66.91.xxx.xxx(25) hit-cnt 2 (300-second interval) Any suggestions on how to properly configure the PIX to log unsolicited tcp/ucp/icmp traffic on the outside (security0) interface? I would like to see PIX-4-106100 messages for the denied traffic. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- pix 501 logging question NI (Mar 04)
- RE: pix 501 logging question Paul Melson (Mar 09)