PIX515E need to create some type of critical or severe log server

[blade10]

All-

We are becoming more security compliant here and am looking for a freeware way of taking PIX logs and having ONLY the severe or critical alerts show up in the log..

Sure I can build a Kiwi Log server and have the PIX report EVERYTHING to this server but then I would need to sift thru a 1000 lines everyday and try to assess what each line means as far as actual threat or DDoS attempt..

Or is there some freeware tool out there that can take what's in the kiwi logs from the pix and export ONLY the ones from a PIX severity level 4 or 5 standpoint?

thanks for any direction on this

blade

 

[Supergrrover]

You can set the pix/asa to only report a certain level through the logs. Then you can customize the level of each alert so it can be bumped up (or down) in the severity and be reported where it usually wouldn't at that level.


logging enable
logging timestamp
logging device-id hostname
logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]
logging trap severity_level
logging facility number
logging message 302013 level warnings
logging message 716038 level alerts

Have a look at this for more advanced options -

http://www.cisco.com/en/US/products...onfiguration_example09186a00805a2e04.shtml#as

Hope this helps.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

thanks very much Brent,

I'm using ver 6.3... and there is logging setup for a server that is not working...

How can I stop that logging process and point my new log setup to a new server in which a kiwi syslog server is setup.. I really should update to 7.x but I can't now. compliance auditors need info quickly for a meeting tomorrow...

yikes!

blade

 

[Supergrrover]

Here is a link for the 6.x code -

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemint.html#wp1020115

You can just delete the logging to that old server
no logging host [interface] [hostIP]

then add the new server in
logging host [interface] [hostIP]


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

Brent

Thanks again..

Just one more for you that relates to this topic..

I looked for a "monitoring" forum but couldn't find. This is associated with Solarwinds syslog server for my PIX emergency alerts..

Anyway, heres my question. I have Solarwinds and it's engineering tool. I created a syslog server that points to the PIX outside interface. All is well but I'd like 2 helpdesk guys to be able to keep this syslog server running on their large overhead flat panel screens. The only way I know how is to have them RDP to the windows server and see the syslog server running as it is.
Does anyone know if there is a way for them to console to it? sort of like Solarwinds Orion System manager lets you?

is there a way to

https://url

to syslog server screen, to it?

Just wondering if terminal services is my only option

anyone have any ideas?

blade

 

[Supergrrover]

Terminal services or VNC if you want a shared view of the application. I don't have experience with the Solar winds server but I know some of their other tools and they're great. Sorry I'm not much help other than that.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

Hi Brent,

Just one more inquiry based on this Solarwinds saga.. I was able to setup the Solarwinds Syslog Viewer in order to take in logs from the PIX (IOS 6.3) - I also setup the config pieces on the PIX for all you state above..

However here is the snafu, Solarwinds listens on port 514.. PIX 515E ver 6.3 doesn't seem to like that port.. it tells me port is out of range and returns a higher start to end ports range.. Have you seen this before by any chance?

I setup Kiwi syslog server which listens on a higher port and is taking in logs nicely from the PIX,, but my manager wants Solarwinds.. any ideas here?

should I clear everything out in the logging trap configuration and re-do it? or is this a done deal.

thanks

blade..

 

[Supergrrover]

You tried changing the PIXs default syslog port?

logging host interface_name ip_address [tcp[/port] | udp[/port]]


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

Yes, this is the exact command set I used..

I receive this error... port out of range....

pix2(config)# logging host 10.1.x.x udp/514
Port out of range: 1025-65535.
pix2(config)# | string <text>
Type help or '?' for a list of available commands.
pix2(config)# logging


Is my syntax off Brent?

Thanks
blade

 

[Supergrrover]

I believe the PIX uses UDP-514 and TCP-1468 by default. Just leave off the port designation in the command and see if the server gets traffic. If you want to set a alternate port, you have to use >1024. You should be able to set the port of the server itself.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

Brent

That worked! thanks so much!!!!!

blade

 

[blade10]

Brent-

I appreciate all the replies -you've helped me tremendously!

I am looking for a white paper or Cisco that I've witnessed before -it contained the severity alerts 0 thru 6 but also have explicit suggestions on whether you should or should not react to them accordingly.

For instance, a severity 1 (ALERT) comes in my syslog viewer reported from the PIX.. the detail in the syslog could be: "deny TCP from 207.x.x.x from inbound 10.x.x.x."

BUT the guide I read actually gave suggestions on a DENY as far as how to approach troubleshooting... I am doing this for an Audit team that is looking to hammer I.T. with questions concerning "how to you execute proper handling of an error when viewed in syslog"

I just can't find where I read that guide before..

Have you identified this anywhere Brent

thanks for any info at all

blade

 

[Supergrrover]

I haven't seen anything like that. I look up specific errors when needed. Sorry.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

Brent,

no worries, I drafted something for management and am configuring MARS as we speak.. ugh, an appliance that says "Mega Marketing" all over it! lol

blade