Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Pix 506 Log VPN logins to Syslog

Posted on 2004-08-11
11
Medium Priority
?
485 Views
Last Modified: 2010-05-18
I thought this would be easy, but I seem to be coming up empty handed.  I have a pix 506.  I have a VPDN group set up for some of our employees to access the network remotely.  I have the pix logging to a syslog server.  How can I log when users connect to the VPN?  Basically, all I want to know is what user connected and at what time (also when they disconnected if possible) AND when someone tries to log into the VPN with a bad user name and password?  The logging trap is currently set at 5.

I am offering up 500 points because I REALLY need an answer to this!  

0
Comment
Question by:kprestage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11781558
Try adding "logging trap debugging" to the configuration so that everything is logged.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11783382
I did that, and it would log the vpn connections, but It also adds a lot of unecessary logging to the syslog as well.  Any way to narrow it down?  I dropped the trap to 6, and still got the vpn logs, but I am still getting a ton of other stuff too.  

If there is no way around it, can you recommend a good syslog server for a windows server that will allow me to break the logs apart into reports?  I am using Kiwi right now, and the functionality seems to be very limited.



0
 
LVL 36

Accepted Solution

by:
grblades earned 1500 total points
ID: 11783722
I think all you can do is filter the data. I normally log everything to a Linux syslog server and then filter items on demand as I wish using the unix 'grep' command.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 2

Expert Comment

by:rmharwood
ID: 11784382
Are you using an AAA server for authentication? Can that log successful and unsuccessful attempts?
0
 
LVL 9

Author Comment

by:kprestage
ID: 11784664
We are just using active directory for authentication on the network.  VPN users first authenticate to their pix account, and then to AD.
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11784800
Not saying this is necessarily the right thing to do, but if you use something like Cisco ACS you can use that to manage your user accounts and I'm pretty sure it provides logging/auditing (although you should check!)

http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/index.html
0
 
LVL 1

Expert Comment

by:rader19
ID: 11788010
In all my experience with Cisco devices. I dont believe there is anyway to narrow down what is sent to the syslog server. I agree with grblades in that I would log everything and filter it.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11790342
Ok.... So if the pix can't narrow it down, are there any suggestions for a good syslog analyzer that will allow me to filter the syslog (in a windows environment)?  I am currently logging to Kiwi syslog server, but the filtering is not too impressive.

0
 
LVL 2

Expert Comment

by:AndyJG247
ID: 11819523
Not sure if these would be any use or not but, the 6.3(4) software allows a bit more syslog if your using AAA - not even tested it yet though.

IKE Syslog Support Improved
This release introduces extensive IKE syslogging support and IKE event trace for scalable VPN troubleshooting has been added to allow for new syslog message generation and IKESMP command control.

New Syslog Messaging for AAA authentication
This release introduces a new AAA syslog message, which prompts users for their authentication before they can use a service port. This syslog improvement is based on prior configured PIX Firewall policies. The added syslog is as follows:

%PIX-3-109023: User from src_IP_Adress/src_port to dest_IP_Address/dest_port on interface outside must authenticate before using this service

0
 
LVL 9

Author Comment

by:kprestage
ID: 12566666
Sorry for sitting on this one so long.  I appreciate everyone's suggestions, but I finally ended up going with grblades advice.  I purchased Kiwi Syslog Server for windows and am logging the data and filtering the results based on the text VPN Tunnel Created and VPN Tunnel Deleted.  
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question