PIX reporting and syslog

[Adr3nalin]

Hi All,

do you have any suggestion what is the best way to monitor the pix traffic daily ?

i was using syslog before and set the box to send error and warning levels to my workstation.
but what happen in the next few days, the PIX became unstable.. the NAT stop working and some weirdo things happen. do i need to turn off the buffer of the syslog ?

thanks four your help...cheers

 

[wybnormal]

If I had to guess I would say you were send too much info to the syslog server.. running a debug on a production Pix? What level where you logging at?

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[yizhar]

HI.

It all depends on the specific situation you have.

I mainly support SMB clients, most of them with 10-80 internal hosts. In most pix devices that I set up I send syslog messages to server at level 4 (warning). I did not see any problem with that and the size of a daily log is something like 300kb.

In one site that needed more logging, I have setup logging to server at level 6 which sends much more information.
I didn't notice any degrade in network performance but again this is an SMB site with: PIX515 ver 6.1, about 40 internal hosts, and a 128 leased line to the ISP.
The size of the daily log files with level 6 is about 10mb per day.
We use it in conjunction with MRTG on the router to troubleshoot bandwidth usage problems, and it helped us several times to find the problem if it was a user running napster, a mail server that got crazy (mail loop), or other problems.
We also keep the logs for security analysis in case we need it in the future.

For larger organizations, the situation is of course different, so please describe more about your network.

Are you using UDP or TCP syslog connection?

If you have a syslog server, then yes you can disable the buffer logging, or set it to a low level.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Adr3nalin]

Thanks guys for your answer...

before the setting is:
- buffer on (by default)
- using UDP port send to my workstation (Kiwi Syslog).
- error level to Warning (i remember before i set this, i leave this to default for a few days...).
my network size is SMB hosted around 20 servers.
- i never run the debug in production server

i curious does the PIX still use the buffers, if we have set the PIX to send the log to another host ?

what happend if the buffer is full ?

do you know what syslog server software is good enough (easy to use, do not require SQL databases, and cheap ?


cheers,

 

[yizhar]

HI.

- using UDP port send to my workstation
This is good because TCP will halt the traffic if the syslog server is unavailable.

> curious does the PIX still use the buffers
Yes, each setting is independant.
But each logging consumes some resources.

> what happend if the buffer is full?
It keeps the last X messages.

> do you know what syslog server software is good enough?
Kiwi works fine for me.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar