logging writed to the wrong file !! 1

[haneo]

I want to logg all debbugging trafic to a linux pc (slackware) so i add this to our pix 515
"Cisco PIX Firewall Version 6.2(2)"

logging host inside IP_OF_LINUX_BOX
logging trap debugging
logging facility 20
logging on

on the linux i add this to /etc/syslog.conf
local4.error /var/log/pix/pix-error

and restart the syslog server like this:
/usr/sbin/syslog -r

now in the pi-error i got just 5 messages in two days

but in the /var/log/message i get many many messages one message is repeating:

Nov 26 08:59:15 IP_OF_INSIDE_INT %PIX-6-302016: Teardown UDP connection 33346700 for outside:OUR_DNS_SERVER/53 to inside:OUR_EMAIL_SERVER/3174 duration 0:00:01 bytes 198

the content of the file /etc/syslog.conf is:
*.=info;*.=notice /usr/adm/messages
*.=debug /usr/adm/debug

*.err /usr/adm/syslog
local4.error /var/log/pix/pix-error

 

[tbissett]

You have a few issues.

QUICK REFERENCE TO SYSLOG: Syslog sends messages on eight different levels (level 0 through 7). Level 0 is the highest priority, and level 7 is the lowest. Here are the names usually associated with each level:

0 - emergency
1 - alert
2 - critical
3 - error
4 - warning
5 - notification
6 - informational
7 - debugging

ON THE PIX: You're telling the PIX to send all messages from all levels with the "logging trap debugging" command. If you only want to send error messages (and higher priority) to your syslog server, change this command to "logging trap error"

ON THE SYSLOG SERVER: If you do not want PIX log messages going to /var/log/messages, look in your syslog.conf for the line that specifies /var/log/messages for the system. You will need to add "local4.none;" (WITH the semi-colon, but WITHOUT the quotes) to the front of this line and restart the server. That will suppress local4 messages from going to /var/log/messages. If you find that you have other local4 stuff going that you want to go to /var/log/messages, you will need to change the facility on the PIX to something else (facility 22 - local6 works well for me).

WHY YOU SAW WHAT YOU SAW: Since your "dedicated PIX log file was only receiving error messages (and higher), you only received a handful in the last couple of days.

Now, if you look in your syslog.conf file, you will notice that level info and higher messages go to /var/log/messages by default. That is why you saw a ton of messages there. In the case you mentioned, your E-mail server was making a number of connections outbound, which is pretty expected for an E-mail server.

Also, note how the front of the message shows "PIX-6-302016". The "6" in the middle indicates this is a Level 6 message.

Hope that isn't too confusing...

 

[haneo]

Thanks tbissett for your help i will post the rersult as soon as i will make the modif.

thanks