Logging PIX Firewall Information

The PIX firewall enables you to log just about every type of event that takes place on the device. Events such as changing passwords, ACL hits, debug events, or even when someone just views the log itself can all be recorded.

Most of the logging commands in the following sections contain a severity level setting. The severity level setting enables you to specify how much detail you want to log.

Severity Levels

The PIX contains several logging security levels that help determine how much information should be logged. The higher the security level number, the more detail that is logged. Table 7.8 displays the eight severity level settings.

Table 7.8. PIX Logging Severity Levels





The system is becoming unstable.



Take immediate action.



Critical conditions.



Error messages.



Warning messages.



Normal but significant conditions.



Information messages.



Log debug messages, FTP commands, and WWW URLs.


If you select severity level 3 in the logging command, level 3 and all the levels below it, including levels 2, 1, and 0, will be logged.

Similar to most Cisco products, the PIX can log information to several locations simultaneously . Figure 7.3 shows some of the locations where information can be logged:

  • Internal buffer

  • Console port

  • SNMP management stations

  • Syslog servers

Figure 7.3. Places to log information.


Internal Buffers

You can log information to internal buffers maintained in RAM. The following commands enable this location for logging:

 pixfirewall(config)# logging on pixfirewall(config)# logging buffered 4 pixfirewall(config)# 

The logging on command enables logging, and the logging buffered 4 command enables logging severity level 4 messages to the internal buffer. Severity levels were described previously in Table 7.8.


The show logging command displays the internal buffer messages, whereas the clear logging command flushes the local logging buffer.

Console Port Logging

Logging to the console port enables your serial connection to display the messages being generated. Although this is fun to watch, it usually shouldn't be left on for too long. The following commands enable console logging:

 pixfirewall(config)# logging on pixfirewall(config)# logging console 4 pixfirewall(config)# 

SNMP Management Station

By using the logging history command, you can send syslog traps to an SNMP management station, like so:

 pixfirewall(config)# logging on pixfirewall(config)# logging history 4 pixfirewall(config)# 

Syslog Servers

Syslog servers are typically the primary location to log data. These are remote servers that can store your log messages to disk or other methods of storage. Syslog server software is freely available from several vendors , including Cisco. After the software is installed on a remote computer, you'll need to configure your PIX.

To enable messages to be sent to a syslog server, the logging host command needs to be executed. The following is the command syntax:

 pixfirewall(config)# [no] logging host [<in_if>] <l_ip> [tcpudp/port#] 
Table 7.9. logging host Command Options




This is the interface name the messages will exit.


This is the IP address of the host.


You can specify TCP or UDP. TCP helps to guarantee your messages are delivered. This option also requires a port number.

The following example enables logging to a remote syslog server with an IP address of and specifies that each message sent should have a timestamp value appended to it:

 pixfirewall(config)# logging host inside pixfirewall(config)# logging on pixfirewall(config)# logging timestamp pixfirewall(config)# 

Use the logging host command to direct log messages to a remote syslog server.

General Logging Commands

Several other logging commands are available. Table 7.9 displays a few of the most common commands.

Table 7.10. Logging Command Options



logging on

Enables logging

logging timestamp

Works with syslog servers and adds a timestamp to each message to make them unique

logging monitor

Used to set which messages are sent to Telnet sessions

logging trap

Sets log levels for syslog traps

logging standby

Allows the standby PIX to send messages to the syslog server

clear logging

Clears all the log messages in the internal buffers

show logging

Displays the current logging settings and the messages located in the internal buffers


The logging timestamp command places a timestamp on messages before they are sent to a syslog server.

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net