The PIX firewall logging feature can be invaluable in troubleshooting, capacity planning, and dealing with security incidents. For security purposes, the events to log are interface status changes, changes to the system configuration, and access list matches, as well as events detected by the firewall and intrusion-detection features. The PIX Firewall generates Syslog messages for system events, such as security alerts and resource depletion. Syslog messages can be used to create mail alerts and log files, or to display on the console of a designated host using UNIX syslog conventions.
The PIX Firewall Syslog message facility is a useful means to view troubleshooting messages and to watch for network events, such as attacks and service denials. You can view Syslog messages either from the firewall console or from a Syslog server that the PIX Firewall sends Syslog messages to.
Note? |
If you don’t have access to a Syslog server, go to Kiwi Enterprises at http://www.kiwisyslog.com/index.htm and download its free Kiwi Syslog Daemon. See the exercise at the end of the Logging topic. |
When using TCP as the logging transport protocol, the PIX Firewall stops forwarding logging traffic as a security measure if any of the following error conditions occur.
The PIX Firewall is unable to reach the Syslog server
The Syslog server is misconfigured
The disk on the Syslog server is full
UDP-based logging doesn’t have a similar mechanism to prevent the PIX Firewall from passing traffic if the Syslog server fails.
At least a dozen logging commands exist and some have various options. This section looks at the main commands, but a search of the Cisco web site for PIX Firewall logging and looking for the latest command reference will include any others.
The Configuration Mode logging on command enables or disables sending informational messages to the console, to a Syslog server, or to a SNMP management station. Use the no form of the command to turn off the feature. The syntax is
pix(config)#logging onpix(config)#no logging on
Use the logging host command to specify a Syslog server that will receive the messages sent from the PIX Firewall. Multiple logging host commands can be used to specify additional servers that would each receive the Syslog messages. Each server can only be specified to receive either UDP or TCP, but not both. PIX Firewall only sends TCP Syslog messages to the PIX Firewall Syslog Server (PFSS). Use the no form of the command to turn off the feature. The syntax is
pix(config)#logging host [in_if_name] ip_address [protocol/port]
pix(config)#no logging host [in_if_name] ip_address
For normal Syslog operations to any Syslog server (non-PFSS) on the network, use the default message protocol—UDP—as shown in the following example:
pix(config)#logging host dmz1 192.168.1.5
Set the Syslog message level with the logging trap command. The level specified includes all levels up to that level. If Level 3 is specified, Syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are as follows:
Severity Level |
Message Type |
Description and Examples |
---|---|---|
0 |
emergencies |
System unusable messages. |
1 |
alerts |
Take immediate action. Hardware and failover errors. |
2 |
critical |
Critical condition. Connection attempts. |
3 |
errors |
Error message. No free IP addresses. |
4 |
warnings |
Warning message. PPP errors. |
5 |
notifications |
Normal but significant condition. URL/Java blocked. |
6 |
informational |
Information message. Authentication denied. |
7 |
debugging |
Debug messages and log FTP commands and WWW URLs. |
Use the no form of the command to turn off the feature. The syntax is
pix(config)#logging trap level
pix(config)#no logging trap level
An example of setting the logging level with the logging trap command is shown in the next line.
pix(config)#logging trap debugging
Set the SNMP message level with the logging history command. Use the no form of the command to turn off the feature. The syntax is
pix(config)#logging history level
pix(config)#no logging history level
An example of setting the SNMP message level with the logging history command is shown in the next line:
pix(config)#logging history notifications
Use the logging queue command to define the size of the Syslog message queue for the messages waiting to be processed. When traffic or congestion gets heavy, messages might be discarded.
pix(config)#logging queue queue_size
queue queue_size |
Sets the size of the queue for storing Syslog messages. The queue size defaults to 512 messages. Setting it to 0 (zero) specifies unlimited space (subject to available block memory). The minimum is one message. Use this parameter before the Syslog messages are processed. |
The following partial configuration shows some of the logging commands used together and demonstrates a few of the commands not addressed earlier.
pix(config)#logging on pix(config)#logging timestamp ????Time stamp system messages pix(config)#no logging standby ????Failover device isn't logging pix(config)#no logging console ????Turns off messages to PIX console pix(config)#no logging monitor ????Turns off Telnet session messages pix(config)#logging buffered errors ?Sets message level sent to buffer pix(config)#logging trap notifications Sets message level sent to syslog pix(config)#no logging history pix(config)#logging queue 2048 ????Sets queue size to 2048 messages pix(config)#logging host inside 192.168.1.220 ?syslog server address
Logging FTP commands and WWW URLs with the Syslog feature is possible. FTP and URL messages can be logged at Syslog Level 6. Both inbound and outbound FTP commands and URLs are logged, and both can be sent to a Syslog server.
Use the following steps to enable FTP and URL logging:
Use the show fixup command to make sure the FTP and HTTP fixup protocol commands are present in the configuration. They should be on in the default configuration.
fixup protocol http 80
fixup protocol ftp 21
If all that was required was to enable URL logging, setting the logging command(s) to Level 5 would do that. But FTP logging requires setting the logging command(s) to Level 6. Because the level includes everything smaller, setting the logging to Level 6 will capture both.
pix(config)#logging console 6 pix(config)#logging trap 6
The following is an example of a URL logging Syslog message, followed by an FTP logging Syslog message.
%PIX-5-304001: user 192.168.1.10 Accessed URL 198.133.219.25: www.cisco.com %PIX-5-304001: user 192.168.1.10 accessed URL 192.168.4.5/pr_sjones.gif %PIX-6-303002: 192.168.1.10 Retrieved 172.16.44.34: resume.doc %PIX-6-303002: 192.168.1.10 Retrieved 172.16.9.21: bigswitch.tar %PIX-6-303002: 192.168.1.10 Stored 172.30.19.4: budget.zip
You can use the show logging command to view these messages at the PIX Firewall console.
Use the show logging command to display which logging options are enabled. If the logging buffered command is on, the show logging command lists the current message buffer.
This example shows how to set Syslog trap logging and view the results:
pix(config)#logging trap debugging pix(config)#show logging Syslog logging: enabled Timestamp logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: disabled Trap logging: level debugging, 43 messages logged enabled
Use the show logging queue command to display the current number of messages in the queue, the highest number recorded, and the number of messages discarded because block memory is unavailable to process them.
The following output shows the results of using the logging queue command to set the queue size to Unlimited and show logging queue commands:
pix(config)#logging queue 0 pix(config)#show logging queue Logging Queue length limit : Unlimited Current 9 msg on queue, 2721 msgs most on queue, 3 msg discard.
Objective: This lab (which is also available on this book’s accompanying CD-ROM) looks at using a Syslog daemon to provide remote storage of system messages. An important part of any project, logging can be used as a debugging tool during development, and a troubleshooting tool once a system has been deployed, and for analyzing and documenting events, such as security breaches. Logging provides a way to see what’s happening—good or bad—inside a running system. As such, it should be addressed with care and forethought, rather than used as a last-minute burden.
A Syslog daemon (an open-source logging system) receives, logs, displays, and forwards Syslog system messages from a variety of hosts, such as routers, switches, UNIX hosts/servers, PIX firewall, LinkSys home firewall, SNMP servers, programming projects, and any other Syslog-enabled device. Depending on the Syslog application, customizable options are available, such as the following:
Display the message in the scrolling window.
Log the message to a text file.
Forward the message to another Syslog daemon.
Log to an ODBC database.
Log to the Windows Server Application Event Log.
E-mail an alert message to someone via SMTP.
Trigger a sound alarm.
Run an external program, such as a pager notification system.
Actions can be performed on received messages. Messages can be filtered by host name, host IP address, priority, message text, or time of day.
Note? |
This lab looks only at using a Syslog daemon and doesn’t specifically address using a PIX Firewall with a Syslog server. Once you know how easy it is to set up a Syslog server, it’ll be simple enough to add the feature to your next firewall exercise. |
Preparation: The purpose of a Syslog daemon (server) is to capture the various log messages that programs like the router’s IOS generates. As long as the host with the Syslog software running can be reached from the router or switch, debug, error, and log messages can all be directed to it.
If you don’t already have a copy of Kiwi Enterprise’s Syslog daemon (or something comparable), consider going to the web site http://www.kiwisyslog.com and downloading it. The software is free to use and runs on Win9X, WinNT, Win2000, and XP. A “for money” version is available from the same site with additional features. The download is 3+MB in size. Several other interesting tools are also on the site to work with the Syslog concepts.
This exercise can be done in any networked environment using TCP/IP. There should be no impact on the network itself.
Download both the Syslog daemon and the SyslogGen tools for this lab. You might want to download the other tools for later self-study.
This lab can be done with the Syslog installed on any number of computers on the same network, or, if necessary, it can be done using one computer. The SyslogGen tool should be on each machine.
Use the winipcfg or ipconfig command to determine the IP address of the machine(s) that will be running the Syslog daemon. If necessary, create a simple map of the room.
Start the Syslog daemon using the Start | Programs menu.If you’re using the Kiwi daemon, press CTRL-T at the same time to send a test message, which you should be able to read in the Syslog window.The following illustration shows the Syslog with a sample entry.
The Kiwi Syslog Message Generator can be used to generate Syslog traffic, so you can experiment with different types and volumes of traffic. Start the SyslogGen tool from the Start menu.The Syslog Message Generator window looks like the following illustration. Look over the options:
The 127.0.0.1 target address means it will send the messages to Syslog running on the local PC. We use this for our first test.Confirm the previous settings and, with the Syslog window visible on the screen, click the Send button. Messages should be appearing in the Syslog window. Notice that the status bar at the bottom tells you how many messages have been sent.Use the Stop button to halt the traffic.Use the scrollbar to look through the messages.
On the Syslog machine, choose View | View Syslog Statistics from the menu to bring up the following display and let you view some interesting counters.Use the View | Clear Display to clear the entries.Experiment with the features. If possible, change the target to the other host IP address.
Saving the output.On the Syslog machine, use the File | Copy Display To Clipboard | Copy Whole Display To Clipboard from the menu or the CTRL-A keys to copy the entire contents of the Syslog window.Open a Notepad file and choose Edit | Paste from the menu. The text should appear in the Notepad. This text file can be saved to a disk.The saved text file can be opened using MS Excel, MS Access, or the Kiwi LogFile Viewer using the Open | Tab Delimited option to sort and analyze the results.