Cisco PIX Firewall System Log Messages, Version 6.2
Introduction
Downloads: This chapterpdf (PDF - 246.0KB) | Feedback

Introduction

Table Of Contents

Introduction

PIX Firewall System Log

Viewing Syslog Messages at the Console

Viewing Syslog Messages in a Telnet Console Session

Sending Syslog Messages to a Syslog Server

Disabling Specific Syslog Messages

Viewing a List of Disabled Syslog Messages

Reenabling Specific Disabled Syslog Messages

Reenabling All Disabled Syslog Messages

Receiving SNMP Requests

Sending SNMP Traps

How to Read System Log Messages

How Log Messages Are Organized

Other Remote Management and Monitoring Tools

Cisco PIX Device Manager

Cisco Secure Policy Manager

SNMP Traps

Telnet


Introduction


This chapter includes the following sections:

PIX Firewall System Log

How to Read System Log Messages

How Log Messages Are Organized

Other Remote Management and Monitoring Tools

PIX Firewall System Log

This section includes the following topics:

Viewing Syslog Messages at the Console

Viewing Syslog Messages in a Telnet Console Session

Sending Syslog Messages to a Syslog Server

Disabling Specific Syslog Messages

Viewing a List of Disabled Syslog Messages

Reenabling Specific Disabled Syslog Messages

Reenabling All Disabled Syslog Messages

Receiving SNMP Requests

Sending SNMP Traps

This guide describes the system log messages for the Cisco PIX Firewall. You can configure the PIX Firewall system software to send these messages to the output location of your choice. For example, you can specify that log messages be sent to the console, to any Telnet session actively connected to the PIX Firewall console, or to a logging server elsewhere on the network.


Note This guide describes syslog messages for Cisco PIX Firewall version 6.2 and higher. Messages that display on the console from non-syslog errors and those for versions prior to 6.2 are considered beyond the scope of this document.



Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by PIX Firewall.


PIX Firewall provides three output locations for sending syslog messages: the console, to a host running a syslog server, and to an SNMP management station.


Note You can also view syslog messages using the Monitoring tab within Cisco PIX Device Manager (PDM). Refer to the PDM online Help for additional information.


If you send messages to a host, they are sent using either UDP or TCP. The host must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 or Windows 98, obtain a syslog server from another vendor.

The Cisco PIX Firewall and VPN Configuration Guide describes the procedure for configuring syslogd. On the logging server, you can specify actions to execute when certain types of messages are logged; for example, sending email, saving records to a log file, or displaying messages on a workstation.

Not all system log messages represent error conditions. Some messages simply report normal events.

Table 1-1 lists the PIX Firewall logging commands you can use to configure and manage logging. See the Cisco PIX Firewall Command Reference for detailed descriptions and additional logging commands. Access to the logging command requires that you access configuration mode on the PIX Firewall with the configure terminal command.

Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the error. The default severity level is 3. Specify the severity level as either a number or a keyword as described in Table 1-2. The level you specify causes PIX Firewall to send messages of that level or lower to the output location; for example, if you specify severity level 3, PIX Firewall sends severity level 1, 2, and 3 messages to the output location.

Table 1-1 PIX Firewall Logging Commands 

Command
Description

logging on

Enables transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command.

no logging message message_number

Disables specific syslog messages. Use the logging message message_number command to resume logging of specific disabled messages.

logging buffered severity_level

Stores syslog messages in the PIX Firewall so you can view them with the show logging command. We recommend that you use this command to view syslog messages when the PIX Firewall is in use in a network.

clear logging

Clears the message buffer created with the logging buffered command.

clear logging message

Re-enables all disabled syslog messages.

logging console severity_level

Displays syslog messages on the PIX Firewall console as they occur. Use this command when you are debugging problems or when there is minimal load on the network. Do not use this command when the network is busy, as it can reduce PIX Firewall performance.

logging device-id {hostname | ipaddress if_name | string text}

If enabled, the PIX Firewall displays the device ID in all syslog messages. If the ipaddress option is used, the device ID becomes the specified PIX Firewall interface IP address, regardless of the interface from which the message is sent. This provides a single consistent device ID for all messages sent from the device.

logging monitor severity_level

Displays syslog messages when accessing the PIX Firewall console with Telnet.

logging host [interface] ip_address [protocol/port]

Specifies a host that receives the syslog messages. The PIX Firewall can now send messages across UDP or TCP (as specified by setting the protocol variable). The default UDP port is 514. The default TCP port is 1468.

logging history severity_level

Sets the logging level for SNMP traps.

logging queue msg_count

Specifies the number of syslog messages that can appear in the message queue while awaiting processing. The default is 512 messages; set to 0 (zero) to mean unlimited. Use the show logging queue command to view queue statistics.

logging trap severity_level

Sets the logging level for syslog messages.

show logging disabled

Displays a complete list of disabled syslog messages.

show logging

Lists the current syslog messages and which logging command options are enabled.



Note The logging device-id command only exists on PIX 6.2.2.115 builds and later.


You can test the logging command by entering configuration mode on the PIX Firewall, using the logging console 7 command to enable logging and then exiting configuration mode with the quit command. This test generates the following syslog message.

111005: nobody End configuration: OK

This message states that you exited configuration mode. "111005" is the message identifier number, which you can refer to in "System Log Messages." The term "nobody" indicates you are accessing the PIX Firewall console from the serial console port. The logging console command should only be used for testing. When the PIX Firewall is in production, only use the logging buffered command to store messages, the show logging command to view messages, and the clear logging command to clear the messages displayed by the logging buffered command.

You can also use the show logging command to view which options are enabled.

The logging command appends new messages to the end of the display.

The sections that follow describe how to use the logging commands.

Viewing Syslog Messages at the Console

Follow these steps to view syslog messages at the PIX Firewall console:


Step 1 Store messages for display by entering the following command:

logging buffered 7

You can replace 7 with a lower severity level if preferred.

Step 2 View the messages with the following command:

show logging

Step 3 Use the clear logging command to clear the buffer so that viewing new messages is easier.

Step 4 You can disable message logging with the no logging buffered command. New messages append to the end of the listing.


Viewing Syslog Messages in a Telnet Console Session

Follow these steps to view syslog messages in a Telnet console session:


Step 1 If you have not done so already, configure the PIX Firewall to let a host on the inside interface access the PIX Firewall with the telnet command. For example, if a host has the IP address 192.168.1.2, the command would be as follows.

telnet 192.168.1.2 255.255.255.255

You should also set the duration that a Telnet session can be idle before PIX Firewall disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows.

telnet timeout 15

Step 2 Start Telnet and specify the inside interface of the PIX Firewall. For example, if the inside interface of the PIX Firewall is 192.168.1.1, the command to start Telnet would be as follows.

telnet 192.168.1.1

Step 3 When Telnet connects, the PIX Firewall prompts you with PIX passwd:. Enter the Telnet password, which is cisco by default.

Step 4 Use the enable command followed by the configure terminal command to get to configuration mode.

Step 5 Start message logging with the logging monitor command.

Step 6 Display messages directly to the Telnet session by entering the terminal monitor command. You can disable directly displaying messages by entering the terminal no monitor command.

Step 7 Trigger some events by pinging a host or starting a web browser. The syslog messages then appear in the Telnet session window.

Step 8 When done, disable this feature with the following commands:

terminal no monitor
no logging monitor

Sending Syslog Messages to a Syslog Server

Follow these steps to send messages to a syslog server:


Step 1 Designate a host to receive the messages with the logging host command as shown in the following example:

logging host dmz1 192.168.1.5

You can specify additional servers so that if one goes off line, another is available to receive messages.

Step 2 Set the logging level with the logging trap command as follows:

logging trap debugging

We recommend that you use the debugging level during initial setup and during testing. Thereafter, set the level from debugging to errors for production use.

Step 3 If needed, set the logging facility command to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20.

Step 4 Start sending messages with the logging on command. To disable sending messages, use the no logging on command.

In the event that all syslog servers are off line, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.


Disabling Specific Syslog Messages

Enter the following command to disable specific syslog messages:

no logging message message_number

where message_number is the specific message you want to disable.


Note The following message cannot be disabled:
%PIX-6-199002: PIX startup completed. Beginning operation.


Viewing a List of Disabled Syslog Messages

To view a list of disabled syslog messages, enter the following command:

show logging disabled

Reenabling Specific Disabled Syslog Messages

To reenable disabled syslog messages, enter the following command:

logging message message_number

where message_number is the specific message you want to reenable.

Reenabling All Disabled Syslog Messages

To reenable all disabled syslog messages, enter the following command:

clear logging message

Receiving SNMP Requests

Follow these steps for the PIX Firewall to receive requests from an SNMP management station:


Step 1 Identify the IP address of the SNMP management station with the snmp-server host command.

Step 2 Set the snmp-server options for location, contact, and the community password as required.


Sending SNMP Traps

Follow these steps to send traps from the PIX Firewall to an SNMP management station:


Step 1 If not performed already, complete both steps described in the "Receiving SNMP Requests" section.

If you only want to send the cold start, link up, and link down generic traps, no further configuration is required.

Step 2 Add an snmp-server enable traps command statement.

Step 3 Set the logging level with the logging history command as follows:

logging history debugging

We recommend that you use the debugging level during initial setup and during testing. Thereafter, set the level from debugging to a lower value for production use.

Step 4 Start sending syslog traps to the management station with the logging on command.


To disable sending syslog traps, use the no logging on command or the no snmp-server enable traps command.

How to Read System Log Messages

System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:

%PIX-Level-Message_number: Message_text

"PIX" identifies the message facility code for messages generated by the PIX Firewall.

Level reflects the severity of the condition described by the message. The lower the number, the more severe the condition. Table 1-2 lists the severity levels. Logging is set to level 3 (error) by default.

Message_number is the numeric code that uniquely identifies the message.

Message_text is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames. Table 1-3 lists the variable fields and the type of information in them.


Note Syslog messages received at the PIX Firewall serial console contain only the code portion of the message. When you view the message description in "System Log Messages," the description also provides the severity level.


Table 1-2 Log Message Severity Levels 

Level Number
Level Keyword
Description

0

emergency

System unusable.

1

alert

Immediate action needed.

2

critical

Critical condition.

3

error

Error condition.

4

warning

Warning condition.

5

notification

Normal but significant condition.

6

informational

Informational message only.

7

debugging

Appears during debugging only.


"Messages Listed by Severity Level" provides a cross reference of which messages occur at each severity level.

Table 1-3 Variable Fields in Syslog Messages 

Variable
Type of Information

chars

Text string (for example, a username).

dec

Decimal number.

faddr

Foreign IP address, an address of a host typically on a lower security level interface in a network beyond the outside router.

gaddr

Global IP address, an address on a lower security level interface.

hex

Hexadecimal number.

interface_number

Use the show nameif command to determine which interface is being described in a message containing this variable. For example:

show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif token0 outside security20
nameif ethernet2 inside security30

In this example, ethernet0 would appear in a syslog message as interface 0, ethernet1 would be interface 1, token0 would be interface 2, and ethernet2 would be interface 3.

laddr

Local IP address, an address on a higher security level interface.

octal

Octal number.

IP_addr

IP address (for example, 192.168.1.2).

port

Port number.

time

Duration, in the format hh:mm:ss.


How Log Messages Are Organized

"System Log Messages" describes PIX Firewall system log messages. The messages are listed numerically by message code. Each message is followed by a brief explanation and a recommended action. If several messages share the same explanation and recommended action, the messages are presented together followed by the common explanation and recommended action.

The explanation of each message indicates what kind of event generated the message. The possible events include the following:

AAA (authentication, authorization, and accounting) events

Connection events (for example, connections denied by the PIX Firewall configuration or address translation errors)

Failover events reported by one or both units of a failover pair

FTP/URL events (for example, successful file transfers or blocked JAVA applets)

Mail Guard/SNMP events

PIX Firewall management events (for example, configuration events or Telnet connections to the PIX Firewall console port)

Routing errors

Other Remote Management and Monitoring Tools

In addition to the system log function, the PIX Firewall can be remotely monitored using other tools, which are described in the following topics:

Cisco PIX Device Manager

Cisco Secure Policy Manager

SNMP Traps

Telnet

These tools provide different ways to remotely monitor the activities of the PIX Firewall.

Cisco PIX Device Manager

The Cisco PIX Device Manager (PDM) is a browser-based configuration tool designed to help you set up, configure, and monitor your PIX Firewall graphically, without requiring an extensive knowledge of the PIX Firewall command-line interface (CLI). PDM ships with every PIX Firewall running software version 6.0(1) and higher. Refer to the Cisco PIX Device Manager Installation Guide for more information.

Cisco Secure Policy Manager

Cisco Secure Policy Manager (Cisco Secure PM) is a security policy management system that enables you to define, distribute, enforce, and audit network-wide security policies from a central location. Cisco Secure PM streamlines the tasks of managing complicated network security events, such as perimeter access control, Network Address Translation (NAT), IDS, and IPSec-based VPNs. Cisco Secure PM provides system-auditing functions, including monitoring, event notification, and web-based reporting.

Cisco Secure PM can receive syslog messages from the PIX Firewall and provide notifications including email, paging, and scripting for designated syslogs. Cisco Secure PM also provides reports of PIX Firewall syslogs, including the top ten users and top ten websites. These reports can be provided both on-demand and by schedule. Reports can be emailed or viewed remotely from an SSL-enabled web browser. Refer to the following websites for more information:

http://www.cisco.com/go/policymanager

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/index.htm

SNMP Traps

The PIX Firewall events can be reported via SNMP. This requires loading Cisco SYSLOG MIB and Cisco SMI MIB onto the SNMP management station. Refer to the Cisco PIX Firewall Command Reference for information about using the snmp-server command to configure SNMP on the PIX Firewall.

Telnet

You can log in to the PIX Firewall console via Telnet from an internal host and monitor system status. If IPSec is enabled, you can also access the console from an external host. You can use the debug icmp trace and debug sqlnet commands from Telnet to view ICMP (ping) traces and SQL*Net accesses.

The Telnet console session also lets you use the logging monitor and terminal monitor commands to view syslog messages, as described in the "Viewing Syslog Messages in a Telnet Console Session" section.