Setting Syslog (PFSS) notifications

[sonun]

Newbie question !!!

There is a Cisco PIX Firewall and a Cisco ACS already steup. I set up the Cisco Syslog server (PFSS) on a Win2K server. Now, when trying to configure PFSS all I could find as options were,
-d %_disk_full—the maximum percentage of how full the disk is that you allow the Windows NT system to reach before causing the PIX Firewall to stop transmissions. This is an integer value in the range of 1 to 100. The default is 90.

-t tcp_port—the port used by the Windows NT system to listen for TCP syslog messages, the default is 1468. If you specify another port, it must be in the range of 1024 to 65535.

-u udp_port—the port used by the Windows NT system to listen for UDP syslog messages, the default is 514. If you specify another port, it must be in the range of 1024 to 65535.

-e disk_empty_watch_timer—the duration in seconds that PFSS waits between checks to see if the disk partition is still empty. The default is 5 seconds, the range is any number greater than zero.

-f disk_full_watch_timer—the duration in seconds that PFSS waits between checks to see if the disk partition is still full. The default is 3 seconds, the range is any number greater than zero.

My question is where do I set the other options like,
emails to be sent when an activity is to occur. Are all those to be set on the PIX firewall itself,
I found some options that could be issued on the pix firewall,
logging host #.#.#.#

logging facility X

logging trap Y

clock set 13:18:00 Apr 25 1999

logging timestamp

no logging message 111005

Now, what about all the other options like being able to specify a particular message (something that I can specify) on the happening on a parituclar event.
Could someone please guide me. I am hoping for more configuration options.
Tutorials, How-tos, Links would be great as well.

Thanks a bunch.

 

[themut]

The PFSS is pretty basic so you will not be able to configure the options you need (it is free after all). For more advanced features you need a more robust application such as Private I however these are not free.

 

[sonun]

But then how do I make sense of this,
From Cisco Doc:
"
Logging Facility
The single syslog daemon (syslogd) can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe on which the information arrives. In this analogy, the logging facilities are the pipes by which the syslogd decides where to send information it receives.

The eight logging facilities commonly used for syslog are local0 through local7.
local0
local1
local2
local3
local4
local5
local6
local7
Levels

There are also different degrees of importance attached to incoming messages. We can think of the levels as what. The PIX can be set to send messages at different levels (these are listed from highest to lowest importance):
Level Numeric Code
emergency 0
alert 1
critical 2
error 3
warning 4
notification 5
informational 6
debug 7

When a PIX is set up to send syslog messages, levels of lower importance include levels of higher importance. For example, if the PIX is set for warning, then error, critical, alert, and emergency messages would also be sent in addition to warning. A debug setting would obviously include messages at all 8 levels.

Configuring the PIX to Send Syslog PIX 4.0.x-4.1.x
The syslog syntax is as follows.

syslog host #.#.#.# (where #.#.#.# is the syslog servers address)

syslog output X.Y (where X is the logging facility and Y is the level)
"

Can anyone kindly explain in more detail as to how should I set this up.

Also Re,
"For more advanced features you need a more robust application such as Private I however these are not free"
Could you kindly provide me links to these.

Thanks again.

 

[themut]

If you want to setup a syslog server then the commands needed on the PIX are:

logging host inside <server-ip>
logging trap debugging
logging on

As for Private I or other syslog servers I am sure you can find them on the web. Try to google it...

 

[smeek]

As it happens I had the same thoughts last week and through my quickie research came up with a starting point.

I set the following logging levels and set my logging host IP address (shown as XXX...)

logging on
logging monitor warnings
logging buffered warnings
logging trap informational
logging host inside XXX.XXX.XXX.XXX

I also created some Intrusion detection statements. Like I said I just created and pointed to the PFSS log. I tried the SYSLOG first on WinServer2003 but it kept shutting down. There are also some pretty good syslogs services that can do more than the free Cisco. WebSense has a pretty good one. I just started setting up the one with CiscoWorks VMS, but haven't gotten too far into it yet.

ip audit name OUTSIDEINFO info action alarm
ip audit name OUTSIDEATTACK attack action alarm drop reset
ip audit name INSIDEATTACK attack action alarm drop reset
ip audit name INSIDEINFO info action alarm
ip audit interface outside OUTSIDEINFO
ip audit interface outside OUTSIDEATTACK
ip audit interface inside INSIDEINFO
ip audit interface inside INSIDEATTACK
ip audit info action alarm
ip audit attack action alarm drop reset

Hope this helps, back up your config (note your changes so you can quickly reverse) and use with care.

Hope it helps.

Steve

 

[sonun]

That was useful. Have to get my hands dirty. Btw, these solutions atleast offer email alerts, right ??
Thanks.

 

[smeek]

I believe the WebSense and VMS do, not the freebie Cisco PFSS.