Solved

Pix 506 Log VPN logins to Syslog

Posted on 2004-08-11
11
482 Views
Last Modified: 2010-05-18
I thought this would be easy, but I seem to be coming up empty handed.  I have a pix 506.  I have a VPDN group set up for some of our employees to access the network remotely.  I have the pix logging to a syslog server.  How can I log when users connect to the VPN?  Basically, all I want to know is what user connected and at what time (also when they disconnected if possible) AND when someone tries to log into the VPN with a bad user name and password?  The logging trap is currently set at 5.

I am offering up 500 points because I REALLY need an answer to this!  

0
Comment
Question by:kprestage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11781558
Try adding "logging trap debugging" to the configuration so that everything is logged.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11783382
I did that, and it would log the vpn connections, but It also adds a lot of unecessary logging to the syslog as well.  Any way to narrow it down?  I dropped the trap to 6, and still got the vpn logs, but I am still getting a ton of other stuff too.  

If there is no way around it, can you recommend a good syslog server for a windows server that will allow me to break the logs apart into reports?  I am using Kiwi right now, and the functionality seems to be very limited.



0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11783722
I think all you can do is filter the data. I normally log everything to a Linux syslog server and then filter items on demand as I wish using the unix 'grep' command.
0
 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.

 
LVL 2

Expert Comment

by:rmharwood
ID: 11784382
Are you using an AAA server for authentication? Can that log successful and unsuccessful attempts?
0
 
LVL 9

Author Comment

by:kprestage
ID: 11784664
We are just using active directory for authentication on the network.  VPN users first authenticate to their pix account, and then to AD.
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11784800
Not saying this is necessarily the right thing to do, but if you use something like Cisco ACS you can use that to manage your user accounts and I'm pretty sure it provides logging/auditing (although you should check!)

http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/index.html
0
 
LVL 1

Expert Comment

by:rader19
ID: 11788010
In all my experience with Cisco devices. I dont believe there is anyway to narrow down what is sent to the syslog server. I agree with grblades in that I would log everything and filter it.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11790342
Ok.... So if the pix can't narrow it down, are there any suggestions for a good syslog analyzer that will allow me to filter the syslog (in a windows environment)?  I am currently logging to Kiwi syslog server, but the filtering is not too impressive.

0
 
LVL 2

Expert Comment

by:AndyJG247
ID: 11819523
Not sure if these would be any use or not but, the 6.3(4) software allows a bit more syslog if your using AAA - not even tested it yet though.

IKE Syslog Support Improved
This release introduces extensive IKE syslogging support and IKE event trace for scalable VPN troubleshooting has been added to allow for new syslog message generation and IKESMP command control.

New Syslog Messaging for AAA authentication
This release introduces a new AAA syslog message, which prompts users for their authentication before they can use a service port. This syslog improvement is based on prior configured PIX Firewall policies. The added syslog is as follows:

%PIX-3-109023: User from src_IP_Adress/src_port to dest_IP_Address/dest_port on interface outside must authenticate before using this service

0
 
LVL 9

Author Comment

by:kprestage
ID: 12566666
Sorry for sitting on this one so long.  I appreciate everyone's suggestions, but I finally ended up going with grblades advice.  I purchased Kiwi Syslog Server for windows and am logging the data and filtering the results based on the text VPN Tunnel Created and VPN Tunnel Deleted.  
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question