SMTP Traffic Log

[rrgg]

I have this entry in my PIX configuration.

logging on
logging buffered notifications
logging trap notifications
logging host inside 192.168.1.120

When I read log files, I don't see SMTP traffic trace.
Why this?

I would want also to see the traces of any VPN mobile connection, how to improve this?

Tks all.

 

[rrgg]

Any idea??

 

[dhenry]

I would like to know the answer to this too!
Thanks,
-Dave

 

[bytehd]

like SMTP HELO/OK transacations?

perhaps if you jack up the PIX log level.

Else id just set ethereal on a filtered sniff....

http://www.insyncva.com

 

[dhenry]

Not really. The logs will currently show somthing like:
304001: 192.168.1.70 Accessed URL 207.68.173.254:/index.htm

What I am looking for is the same thing except for it to show 'Accessed SMTP'. Right now it dosen't show any SMTP connections, just URL and JAVA.

 

[BuckWeet]

I think that might only work when you have the SMTP fixups turned on... Do have them enabled?

 

[bytehd]

putting an ACL on port 25 will give you log entries for SMTP

http://www.insyncva.com

 

[agrigorof]

Setting the logging level to 6 would enable the recording of the "Built..", "Teardown..." messages and those will capture any type of traffic, not only SMTP. See the following report obtained from a PIX firewall set to logging level 6:

http://www.eventid.net/firegen/mildco01-2004-03-12-165112-ondemand.html

The SMTP fixup simply restricts the type of SMTP commands that PIX would accept (and it may "break" some features like SMTP authentication). I do not think that it enables more detailed logging of the SMTP traffic.


Adrian Grigorof

http://www.eventid.net/firegen/firegenpix2.asp

FireGen for Pix Log Analyzer

 

[bytehd]

Great link Adrian!
Some schweet logs there....

http://www.insyncva.com

 

[dhenry]

Great. Thanks for the help!
-Dave