The PIX firewall enables you to log just about every type of event that takes place on the device. Events such as changing passwords, ACL hits, debug events, or even when someone just views the log itself can all be recorded.
Most of the logging commands in the following sections contain a severity level setting. The severity level setting enables you to specify how much detail you want to log.
The PIX contains several logging security levels that help determine how much information should be logged. The higher the security level number, the more detail that is logged. Table 7.8 displays the eight severity level settings.
Table 7.8. PIX Logging Severity Levels
Similar to most Cisco products, the PIX can log information to several locations simultaneously . Figure 7.3 shows some of the locations where information can be logged:
Figure 7.3. Places to log information.
You can log information to internal buffers maintained in RAM. The following commands enable this location for logging:
pixfirewall(config)# logging on pixfirewall(config)# logging buffered 4 pixfirewall(config)#
The logging on command enables logging, and the logging buffered 4 command enables logging severity level 4 messages to the internal buffer. Severity levels were described previously in Table 7.8.
Console Port Logging
Logging to the console port enables your serial connection to display the messages being generated. Although this is fun to watch, it usually shouldn't be left on for too long. The following commands enable console logging:
pixfirewall(config)# logging on pixfirewall(config)# logging console 4 pixfirewall(config)#
SNMP Management Station
By using the logging history command, you can send syslog traps to an SNMP management station, like so:
pixfirewall(config)# logging on pixfirewall(config)# logging history 4 pixfirewall(config)#
Syslog servers are typically the primary location to log data. These are remote servers that can store your log messages to disk or other methods of storage. Syslog server software is freely available from several vendors , including Cisco. After the software is installed on a remote computer, you'll need to configure your PIX.
To enable messages to be sent to a syslog server, the logging host command needs to be executed. The following is the command syntax:
pixfirewall(config)# [no] logging host [<in_if>] <l_ip> [tcpudp/port#]
Table 7.9. logging host Command Options
The following example enables logging to a remote syslog server with an IP address of 192.168.1.15 and specifies that each message sent should have a timestamp value appended to it:
pixfirewall(config)# logging host inside 192.168.1.15 pixfirewall(config)# logging on pixfirewall(config)# logging timestamp pixfirewall(config)#
General Logging Commands
Several other logging commands are available. Table 7.9 displays a few of the most common commands.
Table 7.10. Logging Command Options