[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: RE: [fw-wiz] Syslog montioring and usage. (IMPORTANT
From: Brian Ford <brford () cisco ! com>
Date: 2004-07-19 15:39:08
Message-ID: 4.3.2.7.2.20040719113906.026de280 () sj-email ! cisco ! com
[Download RAW message or body]
Paul and List;
>PS - If you want to see everything the PIX can to the syslog server,
>make sure 'logging console debugging' is set in the config.
WARNING. Whatever you do please do not do this on a production PIX!!!!!!!
"logging console debugging" sets the syslog level for messages sent to the
_console_ (i.e. the console port or computer attached to the PIX via a
serial cable) to debug. That will generate lots of traffic to the serial
port and not to the syslog device.
To set the syslog level for the syslog device use the command "logging trap
...".
Unless you are actively debugging an issue ON A DEVICE ATTACHED TO THE
CONSOLE PORT or trying to learn more about PIX on a non-production (or
production PIX running at less than 40% CPU utilization) I would not
suggest that you use "logging console...". By default this should be
disabled in production PIX environments.
Liberty for All,
Brian
At 10:55 PM 7/15/2004 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
>Message: 8
>Subject: RE: [fw-wiz] Syslog montioring and usage.
>Date: Wed, 14 Jul 2004 09:00:23 -0400
>From: "Melson, Paul" <PMelson@sequoianet.com>
>To: "Chad Thomsen" <chad.thomsen@bramespecialty.com>,
> <firewall-wizards@honor.icsalabs.com>
>
>Cisco publishes the definitions of all of the syslog messages that can
>be generated by a PIX firewall:
>
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63
>syslog/index.htm
>
>As far as the 'IDS' syslog messages that it generates, keep in mind that
>the PIX is only capable of "atomic" checks, meaning that it only alerts
>on the behavior of a single packet. Aside from some older DoS attacks
>and certain types of stealth port scans, the PIX is useless as an IDS.
>
>PaulM
>
>PS - If you want to see everything the PIX can to the syslog server,
>make sure 'logging console debugging' is set in the config. Of course,
>on a busy firewall, this can lead to ~300MB/day in log files, so it may
>only be useful for a short period of time or when used in conjunction
>with automated log analysis software.
Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/
The opinions expressed in this message are those of the author and not
necessarily those of Cisco Systems, Inc..
This email address is transmitted from San Jose, California, U.S.A..
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic