Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 461
  • Last Modified:

Cisco PIX 515E how to create IP LOG?

Hello

I have a CISCO PIX 515E

We are using NAT and PAT.  There was an external IP address that I wanted to track down but that IP address was part of the PAT pool.  So there was not a one to one mapping. (Show XLATE).  Is there a way that I can create an IP access log so I could always map the external IP addresses with the internal?

Thanks

- Jeff
0
jeffg_91911
Asked:
jeffg_91911
  • 8
  • 8
1 Solution
 
lrmooreCommented:
Turn up system logging and offload to an external syslog server

logging on
logging trap 6
logging timestamp
logging host <ip address>

You can get a good syslog server free from http://www.kiwisyslog.com
Then you can layer on a good syslog analysis tool like sawmill  (not free after demo period)
http://www.kiwisyslog.com/software_download2.htm

0
 
jeffg_91911Author Commented:
I'm trying to get this working and I'm having problems.

Looking at the CISCO documentation it lloks like I need to have
"logging facility X" in addition to the above commands.
Where X is the facility.
I tried "logging facility 20" which is for local4.  Does it matter which local I set it too?

I have the kiwi syslog gen installed and I can send log messages from andother computer to the logging server, So I know that Syslog Demaon is installed and working.  It appers that the router is not sending out the log messages.

Also when I list the running config file I do not see Logging Facility local4 displayed in the config file, even though the router accepts the command.

Any help in debugging this is appreciated.

Thanks
- Jeff
0
 
lrmooreCommented:
You can change the facility number to whatever you want, its only purpose would be as a sort column in your actual log file.
Facility 20 is the factory default, therefore it will not show up with "show config"

Can you post result of "sho log"

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jeffg_91911Author Commented:
how would you recommend that I debug this?
0
 
lrmooreCommented:
Take a look at the output of "show log"
Does it say that logging is enabled?

PIX2(config)# sho log
Syslog logging: enabled  <==
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 9 messages logged <==
    Trap logging: level informational, 3 messages logged  <==
        Logging to inside 192.168.122.150  <==
    History logging: disabled
    Device ID: disabled
0
 
jeffg_91911Author Commented:
Here is what I have

sho log

Syslog logging: enabled

    Facility: 20

    Timestamp logging: enabled

    Standby logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: level debugging, 147985 messages logged

        Logging to inside 10.0.100.66

    History logging: disabled

The computer that is running Syslog daemon is the 10.0.100.66  from looking at this it shows 147985 messages logged.  But it is not getting out to or pricked up form the kiwi tool..  

Hm the plot thickens.

Your help is greatly appreciated.. Where do I go from here?

Thanks

- Jeff
0
 
lrmooreCommented:
Can you ping 10.0.100.66 from the PIX console?

Are you sure you're not filtering out facility 20 messages in the Kiwi setup?
Which version Kiwi?
0
 
jeffg_91911Author Commented:
Yes, I can ping 10.0.100.66 from the pix console.
I don't see any filtering for facility20.
A test message from kiwi worked with facility20.
The version of kiwi that I'm using is 7.1.4 freeware.

Thanks

- Jeff
0
 
lrmooreCommented:
I'm still using 7.1.0 version - have not had a reason to update...
Kiwi is listening for UDP, port 514 ?

No firewall on the syslog PC?
0
 
jeffg_91911Author Commented:
Yes, UDP port 514 I think that is by default.
No firewall on the syslog PC..  Test messages form another PC using sysloggen work.

Can you view the syslog messages from the console?  If so how?
Do you have to maintain the log, so it does not run out of space/memory?

Thanks

- jeff
0
 
lrmooreCommented:
You can enable logging to the buffer:
  logg buff debug

Then you can see the logs from "show log"
It will keep overwriting itself, so you won't run out of memory or anything.

I've never had a problem getting syslog entries from any PIX using Kiwi on a variety of platforms, but you're at least the 2nd person this month that just can't seem to get it going.. I'm at a loss here...
0
 
jeffg_91911Author Commented:
Hi

The Kiwi people suggeested that I ....

"What I suggest that you do is confirm that the traffic is actually being
sent to the IP address of the system that Kiwi Syslog Daemon is installed
on.

For doing this I recommend that use Ethereal, http://www.ethereal.com. Use
this application to capture the traffic as it arrives at your machine."

I did this and I saw that there was no messages where the source was the pix.
So if I'm understanding this correctly it seems that the messages must be getting dropped along the way?

I see the syslog messages on the pix console, but they don't seem to be making it to the syslog daemon.

Could there be a setting in the config file that would be preventing this?  Or?

Any ideas are appreciated.

Thanks

- Jeff
0
 
lrmooreCommented:
If you want to post your complete config, I'll take a look at it.
Is there anything else in between the PIX and your PC, like a router or anything?
0
 
jeffg_91911Author Commented:
Thanks for the offer of looking at my config file.
I'd rater email it to you.  I feel that it's a little sensitive.
I don't know if EE shows email addresses.  So if you send me an email at gardner72@cox.net I will email the config file to you.

Thanks

I really appreciate you help and interest in this issue.

- Jeff
0
 
jeffg_91911Author Commented:
Thanks lrmoore for all your help.
I finally got it working.
The problem was that in the "logging host" command I needed to specify the in_if to specify the ethernet port.

Thanks

- Jeff
0
 
lrmooreCommented:
Whew! I should have caught that - D'oh!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now