Not getting all events from PIX in SYSLOG

[jbrittain]

We have a PIX firewall that is performing logging. We are storing the data into the syslog.log file on the server running CiscoWorks 2000. We are also using that same log file as input for reporting from Private-I (also on that server). As we analyzed the Private-I reports, I realized we were not getting 100% of the data. We checked the configurations and everything "seems" okay according to Cisco AND Private-I. Here is a "show logging" command from the PIX:
pixfirewall# sh log
Syslog logging: enabled
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level debugging, facility 23, 6805317 messages logged
Logging to inside 10.10.5.5
History logging: level debugging, facility 23, 6805317 messages logged
pixfirewall#
When I went to the syslog.log file itself to examine the raw data, I discovered that not all of the events are being logged. For example, URL's that I visited during a specific time, are not in the log file. Others, however are (example - Apr 15 13:33:30 10.10.1.1 %PIX-5-304001: 10.10.1.130 Accessed URL 209.254.32.70:/product_graphics/Pointer1.jpg). Things appear to be working normally on the surface, but underneath, events are not getting logged properly. If it was on the reporting side of CiscoWorks or Private-I, I would suspect an application configuration problem. But, this is at the firewall level. Does anyone have any ideas?

Thanks.

 

[19740603]

i think you may use the filter to filter some logs that you don't want

 

[thethmon]

I would check to insure that you do not have any "No message xxxxx' commands in the config that filters those messages from being logged. Todd Hethmon
thethmon@hethmon.com