• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 493
  • Last Modified:

Pix 506 Log VPN logins to Syslog

I thought this would be easy, but I seem to be coming up empty handed.  I have a pix 506.  I have a VPDN group set up for some of our employees to access the network remotely.  I have the pix logging to a syslog server.  How can I log when users connect to the VPN?  Basically, all I want to know is what user connected and at what time (also when they disconnected if possible) AND when someone tries to log into the VPN with a bad user name and password?  The logging trap is currently set at 5.

I am offering up 500 points because I REALLY need an answer to this!  

0
kprestage
Asked:
kprestage
  • 4
  • 2
  • 2
  • +2
1 Solution
 
grbladesCommented:
Try adding "logging trap debugging" to the configuration so that everything is logged.
0
 
kprestageAuthor Commented:
I did that, and it would log the vpn connections, but It also adds a lot of unecessary logging to the syslog as well.  Any way to narrow it down?  I dropped the trap to 6, and still got the vpn logs, but I am still getting a ton of other stuff too.  

If there is no way around it, can you recommend a good syslog server for a windows server that will allow me to break the logs apart into reports?  I am using Kiwi right now, and the functionality seems to be very limited.



0
 
grbladesCommented:
I think all you can do is filter the data. I normally log everything to a Linux syslog server and then filter items on demand as I wish using the unix 'grep' command.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
rmharwoodCommented:
Are you using an AAA server for authentication? Can that log successful and unsuccessful attempts?
0
 
kprestageAuthor Commented:
We are just using active directory for authentication on the network.  VPN users first authenticate to their pix account, and then to AD.
0
 
rmharwoodCommented:
Not saying this is necessarily the right thing to do, but if you use something like Cisco ACS you can use that to manage your user accounts and I'm pretty sure it provides logging/auditing (although you should check!)

http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/index.html
0
 
rader19Commented:
In all my experience with Cisco devices. I dont believe there is anyway to narrow down what is sent to the syslog server. I agree with grblades in that I would log everything and filter it.
0
 
kprestageAuthor Commented:
Ok.... So if the pix can't narrow it down, are there any suggestions for a good syslog analyzer that will allow me to filter the syslog (in a windows environment)?  I am currently logging to Kiwi syslog server, but the filtering is not too impressive.

0
 
AndyJG247Commented:
Not sure if these would be any use or not but, the 6.3(4) software allows a bit more syslog if your using AAA - not even tested it yet though.

IKE Syslog Support Improved
This release introduces extensive IKE syslogging support and IKE event trace for scalable VPN troubleshooting has been added to allow for new syslog message generation and IKESMP command control.

New Syslog Messaging for AAA authentication
This release introduces a new AAA syslog message, which prompts users for their authentication before they can use a service port. This syslog improvement is based on prior configured PIX Firewall policies. The added syslog is as follows:

%PIX-3-109023: User from src_IP_Adress/src_port to dest_IP_Address/dest_port on interface outside must authenticate before using this service

0
 
kprestageAuthor Commented:
Sorry for sitting on this one so long.  I appreciate everyone's suggestions, but I finally ended up going with grblades advice.  I purchased Kiwi Syslog Server for windows and am logging the data and filtering the results based on the text VPN Tunnel Created and VPN Tunnel Deleted.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now