Solved

Pix 506 Log VPN logins to Syslog

Posted on 2004-08-11
11
479 Views
Last Modified: 2010-05-18
I thought this would be easy, but I seem to be coming up empty handed.  I have a pix 506.  I have a VPDN group set up for some of our employees to access the network remotely.  I have the pix logging to a syslog server.  How can I log when users connect to the VPN?  Basically, all I want to know is what user connected and at what time (also when they disconnected if possible) AND when someone tries to log into the VPN with a bad user name and password?  The logging trap is currently set at 5.

I am offering up 500 points because I REALLY need an answer to this!  

0
Comment
Question by:kprestage
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11781558
Try adding "logging trap debugging" to the configuration so that everything is logged.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11783382
I did that, and it would log the vpn connections, but It also adds a lot of unecessary logging to the syslog as well.  Any way to narrow it down?  I dropped the trap to 6, and still got the vpn logs, but I am still getting a ton of other stuff too.  

If there is no way around it, can you recommend a good syslog server for a windows server that will allow me to break the logs apart into reports?  I am using Kiwi right now, and the functionality seems to be very limited.



0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11783722
I think all you can do is filter the data. I normally log everything to a Linux syslog server and then filter items on demand as I wish using the unix 'grep' command.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 2

Expert Comment

by:rmharwood
ID: 11784382
Are you using an AAA server for authentication? Can that log successful and unsuccessful attempts?
0
 
LVL 9

Author Comment

by:kprestage
ID: 11784664
We are just using active directory for authentication on the network.  VPN users first authenticate to their pix account, and then to AD.
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11784800
Not saying this is necessarily the right thing to do, but if you use something like Cisco ACS you can use that to manage your user accounts and I'm pretty sure it provides logging/auditing (although you should check!)

http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/index.html
0
 
LVL 1

Expert Comment

by:rader19
ID: 11788010
In all my experience with Cisco devices. I dont believe there is anyway to narrow down what is sent to the syslog server. I agree with grblades in that I would log everything and filter it.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11790342
Ok.... So if the pix can't narrow it down, are there any suggestions for a good syslog analyzer that will allow me to filter the syslog (in a windows environment)?  I am currently logging to Kiwi syslog server, but the filtering is not too impressive.

0
 
LVL 2

Expert Comment

by:AndyJG247
ID: 11819523
Not sure if these would be any use or not but, the 6.3(4) software allows a bit more syslog if your using AAA - not even tested it yet though.

IKE Syslog Support Improved
This release introduces extensive IKE syslogging support and IKE event trace for scalable VPN troubleshooting has been added to allow for new syslog message generation and IKESMP command control.

New Syslog Messaging for AAA authentication
This release introduces a new AAA syslog message, which prompts users for their authentication before they can use a service port. This syslog improvement is based on prior configured PIX Firewall policies. The added syslog is as follows:

%PIX-3-109023: User from src_IP_Adress/src_port to dest_IP_Address/dest_port on interface outside must authenticate before using this service

0
 
LVL 9

Author Comment

by:kprestage
ID: 12566666
Sorry for sitting on this one so long.  I appreciate everyone's suggestions, but I finally ended up going with grblades advice.  I purchased Kiwi Syslog Server for windows and am logging the data and filtering the results based on the text VPN Tunnel Created and VPN Tunnel Deleted.  
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question