jeffg_91911
asked on
Cisco PIX 515E how to create IP LOG?
Hello
I have a CISCO PIX 515E
We are using NAT and PAT. There was an external IP address that I wanted to track down but that IP address was part of the PAT pool. So there was not a one to one mapping. (Show XLATE). Is there a way that I can create an IP access log so I could always map the external IP addresses with the internal?
Thanks
- Jeff
I have a CISCO PIX 515E
We are using NAT and PAT. There was an external IP address that I wanted to track down but that IP address was part of the PAT pool. So there was not a one to one mapping. (Show XLATE). Is there a way that I can create an IP access log so I could always map the external IP addresses with the internal?
Thanks
- Jeff
ASKER
I'm trying to get this working and I'm having problems.
Looking at the CISCO documentation it lloks like I need to have
"logging facility X" in addition to the above commands.
Where X is the facility.
I tried "logging facility 20" which is for local4. Does it matter which local I set it too?
I have the kiwi syslog gen installed and I can send log messages from andother computer to the logging server, So I know that Syslog Demaon is installed and working. It appers that the router is not sending out the log messages.
Also when I list the running config file I do not see Logging Facility local4 displayed in the config file, even though the router accepts the command.
Any help in debugging this is appreciated.
Thanks
- Jeff
Looking at the CISCO documentation it lloks like I need to have
"logging facility X" in addition to the above commands.
Where X is the facility.
I tried "logging facility 20" which is for local4. Does it matter which local I set it too?
I have the kiwi syslog gen installed and I can send log messages from andother computer to the logging server, So I know that Syslog Demaon is installed and working. It appers that the router is not sending out the log messages.
Also when I list the running config file I do not see Logging Facility local4 displayed in the config file, even though the router accepts the command.
Any help in debugging this is appreciated.
Thanks
- Jeff
You can change the facility number to whatever you want, its only purpose would be as a sort column in your actual log file.
Facility 20 is the factory default, therefore it will not show up with "show config"
Can you post result of "sho log"
Facility 20 is the factory default, therefore it will not show up with "show config"
Can you post result of "sho log"
ASKER
how would you recommend that I debug this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is what I have
sho log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level debugging, 147985 messages logged
Logging to inside 10.0.100.66
History logging: disabled
The computer that is running Syslog daemon is the 10.0.100.66 from looking at this it shows 147985 messages logged. But it is not getting out to or pricked up form the kiwi tool..
Hm the plot thickens.
Your help is greatly appreciated.. Where do I go from here?
Thanks
- Jeff
sho log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level debugging, 147985 messages logged
Logging to inside 10.0.100.66
History logging: disabled
The computer that is running Syslog daemon is the 10.0.100.66 from looking at this it shows 147985 messages logged. But it is not getting out to or pricked up form the kiwi tool..
Hm the plot thickens.
Your help is greatly appreciated.. Where do I go from here?
Thanks
- Jeff
Can you ping 10.0.100.66 from the PIX console?
Are you sure you're not filtering out facility 20 messages in the Kiwi setup?
Which version Kiwi?
Are you sure you're not filtering out facility 20 messages in the Kiwi setup?
Which version Kiwi?
ASKER
Yes, I can ping 10.0.100.66 from the pix console.
I don't see any filtering for facility20.
A test message from kiwi worked with facility20.
The version of kiwi that I'm using is 7.1.4 freeware.
Thanks
- Jeff
I don't see any filtering for facility20.
A test message from kiwi worked with facility20.
The version of kiwi that I'm using is 7.1.4 freeware.
Thanks
- Jeff
I'm still using 7.1.0 version - have not had a reason to update...
Kiwi is listening for UDP, port 514 ?
No firewall on the syslog PC?
Kiwi is listening for UDP, port 514 ?
No firewall on the syslog PC?
ASKER
Yes, UDP port 514 I think that is by default.
No firewall on the syslog PC.. Test messages form another PC using sysloggen work.
Can you view the syslog messages from the console? If so how?
Do you have to maintain the log, so it does not run out of space/memory?
Thanks
- jeff
No firewall on the syslog PC.. Test messages form another PC using sysloggen work.
Can you view the syslog messages from the console? If so how?
Do you have to maintain the log, so it does not run out of space/memory?
Thanks
- jeff
You can enable logging to the buffer:
logg buff debug
Then you can see the logs from "show log"
It will keep overwriting itself, so you won't run out of memory or anything.
I've never had a problem getting syslog entries from any PIX using Kiwi on a variety of platforms, but you're at least the 2nd person this month that just can't seem to get it going.. I'm at a loss here...
logg buff debug
Then you can see the logs from "show log"
It will keep overwriting itself, so you won't run out of memory or anything.
I've never had a problem getting syslog entries from any PIX using Kiwi on a variety of platforms, but you're at least the 2nd person this month that just can't seem to get it going.. I'm at a loss here...
ASKER
Hi
The Kiwi people suggeested that I ....
"What I suggest that you do is confirm that the traffic is actually being
sent to the IP address of the system that Kiwi Syslog Daemon is installed
on.
For doing this I recommend that use Ethereal, http://www.ethereal.com. Use
this application to capture the traffic as it arrives at your machine."
I did this and I saw that there was no messages where the source was the pix.
So if I'm understanding this correctly it seems that the messages must be getting dropped along the way?
I see the syslog messages on the pix console, but they don't seem to be making it to the syslog daemon.
Could there be a setting in the config file that would be preventing this? Or?
Any ideas are appreciated.
Thanks
- Jeff
The Kiwi people suggeested that I ....
"What I suggest that you do is confirm that the traffic is actually being
sent to the IP address of the system that Kiwi Syslog Daemon is installed
on.
For doing this I recommend that use Ethereal, http://www.ethereal.com. Use
this application to capture the traffic as it arrives at your machine."
I did this and I saw that there was no messages where the source was the pix.
So if I'm understanding this correctly it seems that the messages must be getting dropped along the way?
I see the syslog messages on the pix console, but they don't seem to be making it to the syslog daemon.
Could there be a setting in the config file that would be preventing this? Or?
Any ideas are appreciated.
Thanks
- Jeff
If you want to post your complete config, I'll take a look at it.
Is there anything else in between the PIX and your PC, like a router or anything?
Is there anything else in between the PIX and your PC, like a router or anything?
ASKER
Thanks for the offer of looking at my config file.
I'd rater email it to you. I feel that it's a little sensitive.
I don't know if EE shows email addresses. So if you send me an email at gardner72@cox.net I will email the config file to you.
Thanks
I really appreciate you help and interest in this issue.
- Jeff
I'd rater email it to you. I feel that it's a little sensitive.
I don't know if EE shows email addresses. So if you send me an email at gardner72@cox.net I will email the config file to you.
Thanks
I really appreciate you help and interest in this issue.
- Jeff
ASKER
Thanks lrmoore for all your help.
I finally got it working.
The problem was that in the "logging host" command I needed to specify the in_if to specify the ethernet port.
Thanks
- Jeff
I finally got it working.
The problem was that in the "logging host" command I needed to specify the in_if to specify the ethernet port.
Thanks
- Jeff
Whew! I should have caught that - D'oh!
logging on
logging trap 6
logging timestamp
logging host <ip address>
You can get a good syslog server free from http://www.kiwisyslog.com
Then you can layer on a good syslog analysis tool like sawmill (not free after demo period)
http://www.kiwisyslog.com/software_download2.htm