?
Solved

logging on a cisco 506e

Posted on 2004-11-30
13
Medium Priority
?
281 Views
Last Modified: 2013-11-16
I have a cisco 506e pix firewall.  How do i turn on logging for it?  What's the easiest way to see the log from it.  

On some cheaper routers/firewalls you can go to their config and see something like
time xxx dhcp renewed
time xxx packet dropped
time xxx invalid access attempt http 1.1.1.1:5847
etc etc
I want something similar on this and can't figure out how to turn that on and view it.  

Preferably in the GUI of PDM also if possible.

TIA!
0
Comment
Question by:jrspano
  • 6
  • 5
  • 2
13 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12706629
Hi jrspano,
The commands you want all start with the 'logging' command. You can type 'show log' to show the last entries.
You can also increase the buffer size and send a copy of the logs to a SYSLOG server.
You can also set what to log by chooseing what category to log such as debug, notice, critical etc...
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 12706659
First, get yourself a good syslog server, like Kiwi syslogd  http://www.kiwitools.com

Setup logging on the PIX
  Configuration | System Properties
     + Logging
          * Logging Setup     [x] Enable logging
          * Syslog   Add: Inside, IP address of host, don't change anything else
                         Level: Notification
                         [x]  Include Timestamp

                     Apply | Save

Next, get yourself a syslog analysis tool like Sawmill:
http://www.sawmill.net/formats/Syslog.html
0
 
LVL 3

Author Comment

by:jrspano
ID: 12711933
thanks grblades.  Can you elaborate a little.  I can't seem to get it to do everything yet.  I got the kiwi tool and it logs fine.  I get all kinds of internal info about where people went etc.  I get very little from outside though.  I initiated a port scan and it never logged it.  Is there something else I need to turn on?  It's only logging a few dropped packets now.

Thanks!
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12712095
What level did you set the logging to?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12712124
Did you enable the intrusion detection on the outside interface?
0
 
LVL 3

Author Comment

by:jrspano
ID: 12712125
It's set to notifications right now.  Is it a combination of all lower?  IE notifications does them and also everything below it like alarms, warnings etc.

0
 
LVL 3

Author Comment

by:jrspano
ID: 12712165
"Did you enable the intrusion detection on the outside interface?"

it's at factory default now.  There are 2 global rules set to alarm.  One for info and one for attack.
policy to interface mapings are all set to none.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12712204
Try creating a new alarm policy copy of the default, and apply it to the outside interface
0
 
LVL 3

Author Comment

by:jrspano
ID: 12712353
I'm not 100% Sure I did it right,  but I think I did and it didn't help.  Any other ideas?

Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13172922
Sorry about the delayed response.
Are you still working on this? Did you get everything working? Do you need more information?

-Cheers!
0
 
LVL 36

Expert Comment

by:grblades
ID: 13173048
lrmoore do you mind having a quick look at one of my router questions.
Thanks
http://www.experts-exchange.com/Hardware/Routers/Q_21291006.html
0
 
LVL 3

Author Comment

by:jrspano
ID: 13173201
Hey lrmoore.  I still have tons on internal logging and no external.  I uninstalled all the logging software though.  I'll give you credit for helping.  If you think of anything else, please let me know and I'll try it when I get the logging server back up sometime.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13173311
Thanks!

You can always use the "log" keyword on the access-lists

  access-list out_in permit tcp any host xxxxx eq 80 log <==

0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question