Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Message Guide, 2.3
Introduction
Downloads: This chapterpdf (PDF - 275.0KB) The complete bookPDF (PDF - 1.68MB) | Feedback

Introduction

Table Of Contents

Introduction

Changed Messages

Changed Messages in Release 2.3

Logging Command Overview

Enabling Logging

Testing the Logging Output

Setting the Syslog Output Location

Sending Syslog Messages to the Buffer

Sending Syslog Messages to a Telnet Session

Sending Syslog Messages to a Syslog Server

Sending Syslog Messages to an SNMP Management Station

Receiving SNMP Requests

Sending SNMP Traps

Disabling and Enabling Specific Syslog Messages

Disabling Specific Syslog Messages

Viewing a List of Disabled Syslog Messages

Reenabling Specific Disabled Syslog Messages

Reenabling All Disabled Syslog Messages

Understanding Log Messages

Log Message Format

Severity Levels

Variables

Other Remote Management and Monitoring Tools

Cisco PIX Device Manager

Cisco Secure Policy Manager

SNMP Traps

Telnet


Introduction


This chapter lists new and deleted messages in recent versions of the Firewall Services Module software. It also describes how to view and manage system messages, how to understand the messages, and describes other remote management and monitoring tools that are available.


Note Not all system messages represent error conditions. Some messages report normal events.


This chapter includes the following sections:

Changed Messages

Logging Command Overview

Enabling Logging

Setting the Syslog Output Location

Disabling and Enabling Specific Syslog Messages

Understanding Log Messages

Other Remote Management and Monitoring Tools

Changed Messages

This section lists changed messages for this software release.

Changed Messages in Release 2.3

The following message numbers were changed in release 2.3 (from release 2.2):

%FWSM-6-109024: Authorization denied from source_IP_Address/src_port to dest_IP_Address/dest_port (not authenticated) on interface interface_name using protocol (was %FWSM-6-109009 in release 2.2)

%FWSM-6-109025: Authorization denied (acl=acl_ID) for user 'user' from source_address/source_port to dest_address/dest_port on interface interface_name using protocol (was %FWSM-6-109015 in release 2.2)

Logging Command Overview

Table 1-1 lists the FWSM logging commands that you can use to configure and manage logging. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for detailed descriptions of these commands and for additional logging commands. To use the logging command, access the configuration mode on the FWSM  by entering the configure terminal command.

Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the error. The default severity level is 3. Specify the severity level as either a number or a keyword as described in Table 1-2. The level you specify causes the FWSM to send messages of that level or lower to the output location; for example, if you specify severity level 3, the FWSM sends severity level 1, 2, and 3 messages to the output location.


Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by the FWSM.


Table 1-1 FWSM Logging Commands 

Type
Command
Description

Enabling Logging

logging on

Enables transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command.

You must also set a logging output location to see any logs.

Disabling Specific Logging Messages

no logging message syslog_id level level

Disables specific syslog messages. Use the logging message syslog_id command to resume logging of specific disabled messages.

show logging disabled

Displays a complete list of disabled syslog messages.

clear logging disabled

Reenables all disabled syslog messages.

Specifying and Managing Output Locations

logging buffered level

Enables logging to the internal buffer so you can view syslog messages with the show logging command.

clear logging

Clears the message buffer created with the logging buffered command.

logging console level

Enables logging to the system console and displays syslog messages as they occur. Use this command when you are debugging problems or when there is minimal load on the network. Do not use this command when the network is busy, as it can reduce FWSM performance.

logging monitor level

Enables logging to connect to sessions with Telnet and displays syslog messages as they occur when accessing the FWSM console with Telnet. You must also enter the terminal monitor command to enable logging for each Telnet session.

logging host in_intf ip_addr [prot/port] [format emblem] [interface if1 [if2] ... ]

Specifies a host that receives the syslog messages (a syslog server). The FWSM can send messages across UDP or TCP. The default protocol and port are UDP/514. The default TCP port (if specified) is 1468. The format emblem option enables EMBLEM formatting (UDP only). If the interface option is entered, only messages associated with the specified interfaces will be sent to the host.

logging facility number

Sets the logging facility for a syslog server. The default is 20.

logging history level

Enables SNMP logging and sets the logging level for SNMP traps.

logging trap level

Enables logging to servers. See Table 1-2 for more information.

Logging Options

logging rate-limit num [interval] message syslog_id

Rate limits the number of syslogs generated from the module. To remove access lists from the configuration, use the no form of this command.

logging queue queue_size

Specifies the number of syslog messages that can appear in the message queue while awaiting processing. The default is 512 messages; set to 0 (zero) to specify unlimited messages. Use the show logging queue command to view queue statistics.

show logging

Lists the current syslog messages and which logging command options are enabled.

show logging message all

Shows the current level and state of every syslog message.

show logging message syslog id

Displays the current level of a specific message.

logging message

 

logging message syslog id new_level

Changes the default level of a syslog message.

no logging message syslog_id new_level

Restores a specific message to its default level.


Enabling Logging

These steps enable logging; however, you must also set an output location to view the log messages. See the "Setting the Syslog Output Location" section for more information. To enable logging, follow these steps:


Step 1 To enable logging, enter:

logging on

By default, the logging level is set to 3 (error).

Step 2 To change the logging level, enter:

logging trap level (1-7)

Step 3 To view your logging settings, enter:

show logging


Testing the Logging Output

To test the logging output, follow these steps:


Step 1 To initiate a log message to be sent to the console, enter:

logging console 7
quit

This test generates the following syslog message:

111005: nobody End configuration: OK

This message states that you exited configuration mode. "111005" is the message identifier number (see Chapter 2, "System Messages," for more information about this message). The term "nobody" indicates that you are accessing the FWSM console from the serial console port.

Step 2 To disable logging to the console, enter:

no logging console 7
quit


You should only use the logging console command for testing. When the FWSM is active, only use these commands:

logging buffered to store messages

show logging to view messages

clear logging to clear the messages displayed by the logging buffered command

Setting the Syslog Output Location

This section includes the following topics:

Sending Syslog Messages to the Buffer

Sending Syslog Messages to a Telnet Session

Sending Syslog Messages to a Syslog Server

Sending Syslog Messages to an SNMP Management Station

You can configure the FWSM system software to send syslog messages to the output location of your choice. The FWSM provides several output locations for sending syslog messages:

The console

We recommend sending syslog messages directly to the console only during testing. See the "Testing the Logging Output" section.

The buffer

A Telnet connection

A host running a syslog server

An SNMP management station

Sending Syslog Messages to the Buffer

To send syslog messages to the logging buffer, and then view the buffer on the FWSM console, follow these steps:


Step 1 To store messages for display, enter the following command:

logging buffered level (1-7)

Step 2 To view the messages on the console, enter the following command:

show logging

Step 3 To clear the buffer so that viewing new messages is easier, enter:

clear logging

Step 4 To disable message logging, enter:

no logging buffered

New messages append to the end of the listing.


Sending Syslog Messages to a Telnet Session

To view syslog messages in a Telnet session, follow these steps:


Step 1 If you have not done so already, configure the FWSM to let a host on the inside interface access the FWSM.

a. Enter:

telnet ip_address [subnet_mask] [if_name]

For example, if a host has the IP address 192.168.1.2, the command is:

telnet 192.168.1.2 255.255.255.255

b. Set the duration that a Telnet session can be idle before FWSM disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows:

telnet timeout 15

Step 2 Start Telnet on your host and specify the inside interface of the FWSM.

When Telnet connects, the FWSM prompts you with the following:

FWSM passwd

Step 3 Enter the Telnet password, which is cisco by default.

Step 4 To enable configuration mode, enter:

enable
(Enter your password at the prompt)
configure terminal

Step 5 To start message logging, enter:

logging monitor level (1-7)

Step 6 To send logs to this Telnet session, enter:

terminal monitor

This command enables logging only for the current Telnet session. The logging monitor command sets the logging preferences for all Telnet sessions, while the terminal monitor (and terminal no monitor) commands control logging for each individual Telnet session.

Step 7 Trigger some events by pinging a host or starting a web browser.

The syslog messages then appear in the Telnet session window.

Step 8 When done, disable this feature with the following commands:

terminal no monitor
no logging monitor


Sending Syslog Messages to a Syslog Server

If you send messages to a host, they are sent using either UDP or TCP. The host must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 or Windows 98, obtain a syslog server from another vendor.

See the Cisco PIX Firewall and VPN Configuration Guide for the procedure to configure syslogd. On the logging server, you can specify actions to execute when certain types of messages are logged; for example, sending email, saving records to a log file, or displaying messages on a workstation.

To configure the firewall to send messages to a syslog server, follow these steps:


Step 1 To designate a host to receive the messages, enter:

logging host [interface] ip_address [tcp[/port] | udp[/port]] [format emblem]

For example:

logging host dmz1 192.168.1.5

You can enter this command multiple times to specify additional servers so that if one goes offline, another is available to receive messages.

Step 2 To set the logging level, enter:

logging trap level (1-7)

We recommend that you use the debugging (7) level during initial setup and during testing. After the setup, set the level from debugging to errors (3) for use in your network.

Step 3 If you want to include the device ID in each message, enter:

logging device-id {hostname | ipaddress if_name | string text}

The message includes the specified device ID (either the hostname and IP address of the specified interface [even if the message comes from another interface] or a string) in messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the firewall console, management session, or buffer.

Step 4 If needed, set the logging facility to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20:

logging facility number


If all syslog servers are offline, FWSM stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.

Sending Syslog Messages to an SNMP Management Station

To receive syslog messages on an SNMP management station, complete the following procedures:

Receiving SNMP Requests

Sending SNMP Traps

Receiving SNMP Requests

To enable the FWSM to receive requests from an SNMP management station, follow these steps:


Step 1 To set the IP address of the SNMP management station, enter:

snmp-server host [if_name] ip_addr

Step 2 Set other SNMP server settings as required:

snmp-server location text
snmp-server contact text
snmp-server community key

See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information.


Sending SNMP Traps

To send log messages as traps from the FWSM to an SNMP management station (cold start, link up, and link down generic traps are already enabled by the "Receiving SNMP Requests" procedure), follow these steps:


Step 1 To enable sending syslog traps, enter:

snmp-server enable traps

Step 2 To set the logging level, enter:

logging history level (1-7)

We recommend that you use the debugging (7) level during initial setup and during testing. After setup, set the level from debugging (7) to a lower value for use in your network.

Step 3 To disable sending syslog traps, enter:

no snmp-server enable traps


Disabling and Enabling Specific Syslog Messages

The following sections describe how to disable, reenable, or view disabled syslog messages:

Disabling Specific Syslog Messages

Viewing a List of Disabled Syslog Messages

Reenabling Specific Disabled Syslog Messages

Reenabling All Disabled Syslog Messages

Disabling Specific Syslog Messages

Enter the following command to disable specific syslog messages:

no logging message message_number

The message_number value is the specific message you want to disable.


Note The following message cannot be disabled:
%FWSM-6-199002: FWSM startup completed. Beginning operation.


Viewing a List of Disabled Syslog Messages

To view a list of disabled syslog messages, enter the following command:

show logging disabled

Reenabling Specific Disabled Syslog Messages

To reenable disabled syslog messages, enter the following command:

logging message message_number

where the message_number value is the specific message you want to reenable.

Reenabling All Disabled Syslog Messages

To reenable all disabled syslog messages, enter the following command:

clear logging message

Understanding Log Messages

This section includes the following topics:

Log Message Format

Severity Levels

Variables

Log Message Format

System log messages begin with a percent sign (%) and are structured as follows:

%FWSM-Level-Message_number: Message_text

FWSM

Identifies the message facility code for messages generated by the FWSM. This value is always FWSM.

Level

The level reflects the severity of the condition described by the message. The levels are 1-7. The lower the number, the more severe the condition. See Table 1-2 for more information.

Message_number

A unique 6-digit number that identifies the message.

Message_text

A text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames. Table 1-3 lists the variable fields and the type of information in them.



Note Syslog messages received at the FWSM serial console contain only the code portion of the message. When you view the message description in Chapter 2, "System Messages," the description also provides the severity level.


Severity Levels

Table 1-2 lists the severity levels. Logging is set to level 3 (error) by default.


Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by the FWSM.


Table 1-2 Log Message Severity Levels 

Level Number
Level Keyword
Description

0

emergency

System unusable.

1

alert

Immediate action needed.

2

critical

Critical condition.

3

error

Error condition.

4

warning

Warning condition.

5

notification

Normal but significant condition.

6

informational

Informational message only.

7

debugging

Appears during debugging only.


Appendix A, "Messages Listed by Severity Level" lists which messages occur at each severity level.

Variables

Log messages often contain variables. Table 1-3 lists most variables that are used in this guide to describe log messages. Some variables that appear in only one log message are not listed.

Table 1-3 Variable Fields in Syslog Messages 

Type
Variable
Type of Information

Misc.

acl_ID

An ACL name.

command

A command name.

command_modifier

The command_modifier is one of the following strings:

cmd (this string means the command has no modifier)

clear

no

show

connection_type

The connection type:

SIGNALLING UDP

SIGNALLING TCP

SUBSCRIBE UDP

SUBSCRIBE TCP

Via UDP

Route

RTP

RTCP

device

The memory storage device. For example, the floppy disk, Flash memory, TFTP, the failover standby unit, or the console terminal.

filename

A filename of the type FWSM image, PDM file, or configuration.

privilege_level

The user privilege level.

reason

A text string describing the reason for the message.

string

Text string (for example, a username).

tcp_flags

Flags in the TCP header such as:

ACK

FIN

PSH

RST

SYN

URG

url

A URL.

user

A username.

Numbers

number

A number. The exact form depends on the log message.

bytes

The number of bytes.

code

A decimal number returned by the message to indicate the cause or source of the error, depending on the message.

connections

The number of connections.

elimit

Number of embryonic connections specified in the static or nat command.

econns

Number of embryonic connections.

nconns

Number of connections permitted for the static or xlate table.

time

Duration, in the format hh:mm:ss.

dec

Decimal number.

hex

Hexadecimal number.

octal

Octal number.

Addresses

IP_address

IP address in the form n.n.n.n, where n is an integer from 1 to 255.

MAC_address

The MAC address.

outside_address

Outside (or foreign) IP address, an address of a host typically on a lower security level interface in a network beyond the outside router.

inside_address

Inside (or local) IP address, an address on a higher security level interface.

global_address

Global IP address, an address on a lower security level interface.

source_address

The source address of a packet.

dest_address

The destination address of a packet.

real_address

The real IP address, before Network Address Translation (NAT).

mapped_address

The translated IP address.

gateway_address

The network gateway IP address.

netmask

The subnet mask.

Interfaces

interface_number

The interface number, 1 to n, where the number is determined by the order the interfaces load in the FWSM. For example, see the sample show nameif command output:

show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif token0 outside security20
nameif ethernet2 inside security30

In this example, ethernet0 would appear in a syslog message as interface 0, ethernet1 would be interface 1, token0 would be interface 2, and ethernet2 would be interface 3.

interface_name

The name assigned to the interface. Use the show nameif command to view the interfaces and their names.

Ports, Services, and Protocols

port

The TCP or UDP port number.

outside_port

The outside port number.

inside_port

The inside port number.

source_port

The source port number.

dest_port

The destination port number.

real_port

The real port number, before NAT.

mapped_port

The translated port number.

global_port

The global port number.

protocol

The protocol of the packet, for example, ICMP, TCP, or UDP.

service

The service specified by the packet, for example, SNMP or Telnet.


Other Remote Management and Monitoring Tools

In addition to the system log function, you can remotely monitor the FWSM using other tools, which are described in the following topics:

Cisco PIX Device Manager

Cisco Secure Policy Manager

SNMP Traps

Telnet

Cisco PIX Device Manager

The Cisco PIX Device Manager (PDM) is a single-device graphical user interface (GUI) that you can use to manage your FWSM. Refer to the Cisco PIX Device Manager Installation Guide for more information.

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM) is a security policy management system that allows you to define, distribute, enforce, and audit network-wide security policies from a central location. CSPM streamlines the tasks of managing complicated network security events, such as perimeter access control, Network Address Translation (NAT), IDS, and IPSec-based VPNs. CSPM provides system-auditing functions, including monitoring, event notification, and web-based reporting.

CSPM can receive syslog messages from the FWSM and provide notifications including email, paging, and scripting for designated syslogs. CSPM also provides reports of FWSM syslogs, including the top ten users and top ten websites. These reports can be provided both on-demand and by schedule. Reports can be e-mailed or viewed remotely from an SSL-enabled web browser.

See the following website for more information:

http://www.cisco.com/go/policymanager

SNMP Traps

Tp report FWSM events, you can use SNMP. To use this feature, you need to load the Cisco SYSLOG MIB and the Cisco SMI MIB onto the SNMP management station.

Telnet

You can log in to the FWSM console using Telnet from an internal host and monitor system status. If IPSec is enabled, you can also access the console from an external host. You can use the debug icmp trace and debug sqlnet commands from Telnet to view ICMP (ping) traces and SQL*Net accesses.

The Telnet console session also lets you use the logging monitor and terminal monitor commands to view syslog messages, as described in the "Sending Syslog Messages to a Telnet Session" section.