Log levels tips 1

[sghezzi]

Hello,

we use PIX mainly for VPN with remote offices PIXes and we are managing the remote PIXes centrally from headoffice.
We are wondering if it makes sense to collect logs from the remote PIXes to our central syslog server.
In taking this decision we first need to know what level of log to collect.
Till now I have always used debugging level, but this is not suitable anymore for remote collection of log, this would badly impact on the VPN and connection performances.
Therefore I am asking suggestion from the list.

What is the most suitable level of logging that one should use for having a good understanding of what is going on without having an impact on the perfomance?

Thanks a lot
Silvia

 

[dozier]

We have our 515 set to notifications. It generates anywhere between 50kb to 750kb of messages per day. I think it's highly dependent on what's happening in your network.

 

[zacca]

Hi sghezzi,

Thanks for the good question, I also want to ask the same!

Just wondering what syslog server you're using?

Many thanks!

 

[sghezzi]

I use Kiwi Syslog.

Best

Silvia

 

[chicocouk]

If you're logging to a syslog server down a vpn tunnel, and the tunnel goes down, the cpu usage on the pix will rocket, and it will eventually stop being able to pass traffic at all. This will also happen if the syslog service stops, or the syslog server is unreachable for some reason, as the pix tries to handle all the syslog messages locally instead. This is a known problem. It will be worse the higher the level of logging you set. You might want to test this by turning your syslog service off at the main site for a while, and seeing how long it is before users at the remote office phone you up to say they have no internet access.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[chicocouk]

Actually, on second thought, that's only relevant if you're syslogging using TCP rather than UDP. Which you probably aren't. Don't mind me ....

*whistles*

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[Narizz28]

Not to digress, but has anyone else notice a memory leak with Kiwi Syslog on a Windows server? I cycle the syslogd_manager.exe process and my non-paged pool returns to normal.

 

[agrigorof]

You can configure a workstation on each office with Kiwi and collect the logs locally. You may be able to collect the logs on scheduled basis (via ftp for example), or analyze them remotely, with a product like FireGen. If you are concerned about the space these logs take, you can configure Kiwi to archive the logs. These logs are highly compressible so you should be fine.

If you need to collect stats about web traffic for example, you need level 6 logging enabled on each Pix. Otherwise, set it to 3 and only collect error-level and up.

Adrian Grigorof

http://www.eventid.net/firegen/firegenpix2.asp

FireGen for Pix Log Analyzer

 

[sghezzi]

Adrian,

thanks for the info!
About your product, I am interested in evaluating it so I have downloaded the demo, but I was expecting to be able to use it uploading my personal log files, instead it seems that I can only use it with the sample log file that it is given with the software.

Am I doing something wrong?

Regards
Silvia

 

[agrigorof]

Silvia,

Please email support@firegen.com for support on this issue - they are quite quick in answering. This forum might not be appropriate for a "how-to" on FireGen. I can assure you that you can analyze your own logs, not just the sample.

Adrian Grigorof

 

[bytehd]

write us a FAQ in firegen

http://www.insyncva.com

 

[agrigorof]

The FAQ is already there. See

http://www.eventid.net/firegen/fgpix2faq.asp

Adrian Grigorof

http://www.eventid.net/firegen/firegenpix2.asp

FireGen for Pix Log Analyzer

 

[bytehd]

i mean one for Tek Tips

http://www.insyncva.com