Table Of Contents
Introduction
PIX Firewall System Log
Viewing Syslog Messages at the Console
Viewing Syslog Messages in a Telnet Console Session
Sending Syslog Messages to a Syslog Server
Sending SNMP Traps to an SNMP Server
How to Read System Log Messages
How Log Messages are Organized
Other Remote Management and Monitoring Tools
PIX Firewall Manager
SNMP Traps
Telnet
Introduction
This chapter includes the following sections:
•PIX Firewall System Log
•How to Read System Log Messages
•How Log Messages are Organized
•Other Remote Management and Monitoring Tools
PIX Firewall System Log
This section includes the following topics:
•Viewing Syslog Messages at the Console
•Viewing Syslog Messages in a Telnet Console Session
•Sending Syslog Messages to a Syslog Server
•Sending SNMP Traps to an SNMP Server
This guide describes the syslog system log messages for the PIX Firewall. You can configure the PIX Firewall system software to send these messages to the output location of your choice. For example, you can specify that log messages be sent to the console, to any Telnet session actively connected to the PIX Firewall console, to a machine running the PIX Firewall Manager server, or to a logging server elsewhere on the network.
Note This guide only describes syslog messages for version 4.2(2) and later. Messages that display on the console from non-syslog errors and those for versions prior to 4.2(2) are considered beyond the scope of this document.
Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by PIX Firewall.
PIX Firewall provides three output locations for sending syslog messages: the console, to a host running a syslog server, and to an SNMP server.
If you send messages to a host, they are sent using UDP. The host must have a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows NT systems, use the PIX Firewall Manager software which also contains a syslog server. For Windows 95 or Windows 98, you need to obtain a syslog server from another vendor.
The Configuration Guide for the PIX Firewall describes the procedure for configuring syslogd. On the logging server, you can specify actions to be taken when certain types of messages are logged; for example, sending email, saving records to a log file, or displaying messages on a workstation.
Not all system log messages represent error conditions. Some messages simply report normal events.
lists the PIX Firewall logging commands you can use to configure and manage logging. See the Configuration Guide for the PIX Firewall for detailed descriptions and additional logging commands. Access to the logging command requires that you access configuration mode on the PIX Firewall with the configure terminal command.
Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. Level 0 messages are the most severe and level 7 is the least severe. The default severity level is 3. Specify the severity level as either a number or a keyword as described in . The level you specify causes PIX Firewall to send messages of that level and below to the output location; for example, if you specify severity level 3, PIX Firewall sends severity level 0, 1, 2, and 3 messages to the output location.
Table 1-1 PIX Firewall Logging Commands
Command
|
Description
|
logging on
|
Enables transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command.
|
logging buffered severity_level
|
Stores syslog messages in the PIX Firewall so you can view them with the show logging command. Cisco recommends that you use this command to view syslog messages when the PIX Firewall is in use in a network.
|
clear logging
|
Clear the message buffer created with the logging buffered command.
|
logging console severity_level
|
Displays syslog messages on the PIX Firewall console as they occur. Use this command when you are debugging problems or when there is minimal load on the network. Do not use this command when the network is busy as it can reduce PIX Firewall performance.
|
logging monitor severity_level
|
Displays syslog messages when accessing the PIX Firewall console with Telnet.
|
logging host interface ip_address
|
Specifies a host that receives the syslog messages.
|
logging trap severity_level
|
Start sending syslog messages to a syslog server or to an SNMP server.
|
show logging
|
Lists the current syslog messages and which logging command options are enabled.
|
You can test the logging command by entering configuration mode on the PIX Firewall, using the logging console 7 command to enable logging and then exiting configuration mode with the quit command. This test generates the following syslog message:
111005: nobody End configuration: OK
This message states that you exited configuration mode. "111005" is the message identifier number, which you can look up in "." The term "nobody" indicates you are accessing the PIX Firewall console from the serial console port. The logging console command should only be used for testing. When the PIX Firewall is in production, only use the logging buffered command to store messages, the show logging command to view messages, and the clear logging command to clear the messages displayed by the logging buffered command.
You can also use the show logging command to view which options are enabled.
The logging command appends new messages to the end of the display.
The sections that follow describe how to use the logging commands.
Viewing Syslog Messages at the Console
To view syslog messages at the PIX Firewall console:
Step 1 Store messages for display by entering the following command:
You can replace 7 with a lower severity level if preferred.
Step 2 View the messages with:
Step 3 Use the clear logging command to clear the buffer so that viewing new messages is easier.
Step 4 You can disable message logging with the no logging buffered command.
New messages append to the end of the listing.
Viewing Syslog Messages in a Telnet Console Session
To view syslog messages on a Telnet console session:
Step 1 If you have not done so already, configure the PIX Firewall to let a host on the inside interface access the PIX Firewall with the telnet command. For example, if a host has the IP address 192.168.1.2, the command would be:
telnet 192.168.1.2 255.255.255.255
You should also set the duration that a Telnet session can be idle before PIX Firewall disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows:
Step 2 Start Telnet and specify the inside interface of the PIX Firewall. For example, if the inside interface of the PIX Firewall is 192.168.1.1, the command to start Telnet would be:
Step 1 When Telnet connects, the PIX Firewall prompts you with PIX passwd:. Enter the Telnet password, which is cisco by default.
Step 2 Use the enable command followed by the configure terminal commands to get to configuration mode.
Step 3 Start message logging with the logging monitor command.
Step 4 Display messages directly to the Telnet session by entering the terminal monitor command. You can disable directly displaying messages by entering the terminal no monitor command.
Step 5 Trigger some events by pinging a host or starting a web browser. The syslog messages then appear in the Telnet session window.
Step 6 When done, disable this feature with these commands:
Sending Syslog Messages to a Syslog Server
To send messages to a syslog server:
Step 1 Designate a host to receive the messages with the logging host command as shown in the following example:
logging host dmz1 192.168.1.5
You can specify additional servers so that should one go offline, another will be available to receive messages.
Step 2 Set the logging level with the logging trap command; for example:
Cisco recommends that you use the debugging level during initial set up and during testing. Thereafter, set the level from debugging to errors for production use.
Step 3 If needed, set the logging facility command to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20.
Step 4 Start sending messages with the logging on command. To disable sending messages, use the no logging on command.
In the event that all syslog servers are offline, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.
Sending SNMP Traps to an SNMP Server
To send traps to an SNMP server:
Step 1 Identify the IP address of the SNMP server with the snmp-server host command.
Step 2 Set the snmp-server options for location, contact, and the community password as required.
Step 3 Set the logging level with the logging trap command; for example:
Cisco recommends that you use the debugging level during initial set up and during testing. Thereafter, set the level from debugging to errors for production use.
Step 4 Start sending syslog messages to the server with the logging on command.
Only syslog messages in the syslog MIB are controlled by this command.
How to Read System Log Messages
System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:
%FACILITY-SEVERITY-CODE: Message-text
FACILITY identifies the message facility. "PIX" is the facility code for messages generated by the PIX Firewall.
SEVERITY reflects the severity of the condition described by the message. The lower the number, the more serious the condition. lists the severity levels. Logging is set to level 3 (error) by default.
CODE is a numeric code that uniquely identifies the message.
Message-text is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames. lists the variable fields and the type of information in them.
Note Syslog messages received at the PIX Firewall serial console contain only the CODE. When you view the message description in "," the description also provides the SEVERITY level.
Table 1-2 Log Message Severity Levels
Level Number
|
Level Keyword
|
Description
|
0
|
emergency
|
System unusable
|
1
|
alert
|
Immediate action needed
|
2
|
critical
|
Critical condition
|
3
|
error
|
Error condition
|
4
|
warning
|
Warning condition
|
5
|
notification
|
Normal but significant condition
|
6
|
informational
|
Informational message only
|
7
|
debugging
|
Appears during debugging only
|
"" provides a cross reference of which messages occur at each severity level.
Table 1-3 Variable Fields in Syslog Messages
Variable
|
Type of Information
|
dec
|
Decimal number
|
hex
|
Hexadecimal number
|
octal
|
Octal number
|
time
|
Duration, in the format hh:mm:ss
|
chars
|
Text string (for example, a username)
|
IP_addr
|
IP address (for example, 192.168.1.2)
|
port
|
Port number
|
How Log Messages are Organized
"" describes PIX Firewall system log messages. The messages are listed numerically by message code. Each message is followed by a brief explanation and a recommended action. If several messages share the same explanation and recommended action, the messages are presented together followed by the common explanation and recommended action.
The explanation of each message indicates what kind of event generated the message. The possible events include:
•AAA (accounting, authentication, and authorization) events
•Connection events (for example, connections denied by the PIX Firewall configuration or address translation errors)
•Failover events reported by one or both units of a failover pair
•FTP/URL events (for example, successful file transfers or blocked JAVA applets)
•Mail Guard/SNMP events
•PIX Firewall management events (for example, configuration events or Telnet connections to the PIX Firewall console port)
•Private Link errors
•Routing errors
If you are accessing this document on CD-ROM, you can click the message code in the Index to go directly to the description of the message.
Other Remote Management and Monitoring Tools
In addition to the system log function, the PIX Firewall can be remotely monitored using other tools, which are described in the following topics:
•PIX Firewall Manager
•SNMP Traps
•Telnet
These tools provide different ways to remotely monitor the activities of the PIX Firewall.
PIX Firewall Manager
The PIX Firewall Manager is a client/server application that provides a graphical user interface for monitoring and managing the PIX Firewall. The PIX Firewall Manager includes a reporting function that uses a subset of the system log messages to generate reports.
Refer to the release notes shipped with the PIX Firewall for information about installing the PIX Firewall Manager, and to the help text in the PIX Firewall Manager software for information about using the product.
SNMP Traps
The PIX Firewall events that can be reported via SNMP are contained in the Cisco SYSLOG MIB. Refer to the Configuration Guide for the PIX Firewall for information about installing and compiling the Cisco SYSLOG MIB on an SNMP server, and about using the snmp-server command to configure SNMP on the PIX Firewall.
Telnet
You can log in to the PIX Firewall console via Telnet from an inside host and monitor system status. Starting with version 4.2(3), you can use the debug icmp trace and debug sqlnet commands from Telnet to view ICMP (ping) traces and SQL*Net accesses.
The Telnet console session also lets you use the logging monitor and terminal monitor commands to view syslog messages, as described in the section "Viewing Syslog Messages in a Telnet Console Session."