Solved

Pix 506 Log VPN logins to Syslog

Posted on 2004-08-11
11
478 Views
Last Modified: 2010-05-18
I thought this would be easy, but I seem to be coming up empty handed.  I have a pix 506.  I have a VPDN group set up for some of our employees to access the network remotely.  I have the pix logging to a syslog server.  How can I log when users connect to the VPN?  Basically, all I want to know is what user connected and at what time (also when they disconnected if possible) AND when someone tries to log into the VPN with a bad user name and password?  The logging trap is currently set at 5.

I am offering up 500 points because I REALLY need an answer to this!  

0
Comment
Question by:kprestage
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11781558
Try adding "logging trap debugging" to the configuration so that everything is logged.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11783382
I did that, and it would log the vpn connections, but It also adds a lot of unecessary logging to the syslog as well.  Any way to narrow it down?  I dropped the trap to 6, and still got the vpn logs, but I am still getting a ton of other stuff too.  

If there is no way around it, can you recommend a good syslog server for a windows server that will allow me to break the logs apart into reports?  I am using Kiwi right now, and the functionality seems to be very limited.



0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11783722
I think all you can do is filter the data. I normally log everything to a Linux syslog server and then filter items on demand as I wish using the unix 'grep' command.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Expert Comment

by:rmharwood
ID: 11784382
Are you using an AAA server for authentication? Can that log successful and unsuccessful attempts?
0
 
LVL 9

Author Comment

by:kprestage
ID: 11784664
We are just using active directory for authentication on the network.  VPN users first authenticate to their pix account, and then to AD.
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11784800
Not saying this is necessarily the right thing to do, but if you use something like Cisco ACS you can use that to manage your user accounts and I'm pretty sure it provides logging/auditing (although you should check!)

http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/index.html
0
 
LVL 1

Expert Comment

by:rader19
ID: 11788010
In all my experience with Cisco devices. I dont believe there is anyway to narrow down what is sent to the syslog server. I agree with grblades in that I would log everything and filter it.
0
 
LVL 9

Author Comment

by:kprestage
ID: 11790342
Ok.... So if the pix can't narrow it down, are there any suggestions for a good syslog analyzer that will allow me to filter the syslog (in a windows environment)?  I am currently logging to Kiwi syslog server, but the filtering is not too impressive.

0
 
LVL 2

Expert Comment

by:AndyJG247
ID: 11819523
Not sure if these would be any use or not but, the 6.3(4) software allows a bit more syslog if your using AAA - not even tested it yet though.

IKE Syslog Support Improved
This release introduces extensive IKE syslogging support and IKE event trace for scalable VPN troubleshooting has been added to allow for new syslog message generation and IKESMP command control.

New Syslog Messaging for AAA authentication
This release introduces a new AAA syslog message, which prompts users for their authentication before they can use a service port. This syslog improvement is based on prior configured PIX Firewall policies. The added syslog is as follows:

%PIX-3-109023: User from src_IP_Adress/src_port to dest_IP_Address/dest_port on interface outside must authenticate before using this service

0
 
LVL 9

Author Comment

by:kprestage
ID: 12566666
Sorry for sitting on this one so long.  I appreciate everyone's suggestions, but I finally ended up going with grblades advice.  I purchased Kiwi Syslog Server for windows and am logging the data and filtering the results based on the text VPN Tunnel Created and VPN Tunnel Deleted.  
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question