Logging PIX Firewall Information

The PIX firewall enables you to log just about every type of event that takes place on the device. Events such as changing passwords, ACL hits, debug events, or even when someone just views the log itself can all be recorded.

Most of the logging commands in the following sections contain a severity level setting. The severity level setting enables you to specify how much detail you want to log.

Severity Levels

The PIX contains several logging security levels that help determine how much information should be logged. The higher the security level number, the more detail that is logged. Table 7.8 displays the eight severity level settings.

Table 7.8. PIX Logging Severity Levels

If you select severity level 3 in the logging command, level 3 and all the levels below it, including levels 2, 1, and 0, will be logged.

Similar to most Cisco products, the PIX can log information to several locations simultaneously . Figure 7.3 shows some of the locations where information can be logged:

• Internal buffer

• Console port

• SNMP management stations

• Syslog servers

Internal Buffers

You can log information to internal buffers maintained in RAM. The following commands enable this location for logging:

 pixfirewall(config)# logging on pixfirewall(config)# logging buffered 4 pixfirewall(config)# 

The logging on command enables logging, and the logging buffered 4 command enables logging severity level 4 messages to the internal buffer. Severity levels were described previously in Table 7.8.

The show logging command displays the internal buffer messages, whereas the clear logging command flushes the local logging buffer.

Console Port Logging

Logging to the console port enables your serial connection to display the messages being generated. Although this is fun to watch, it usually shouldn't be left on for too long. The following commands enable console logging:

 pixfirewall(config)# logging on pixfirewall(config)# logging console 4 pixfirewall(config)# 

SNMP Management Station

By using the logging history command, you can send syslog traps to an SNMP management station, like so:

 pixfirewall(config)# logging on pixfirewall(config)# logging history 4 pixfirewall(config)# 

Syslog Servers

Syslog servers are typically the primary location to log data. These are remote servers that can store your log messages to disk or other methods of storage. Syslog server software is freely available from several vendors , including Cisco. After the software is installed on a remote computer, you'll need to configure your PIX.

To enable messages to be sent to a syslog server, the logging host command needs to be executed. The following is the command syntax:

 pixfirewall(config)# [no] logging host [<in_if>] <l_ip> [tcpudp/port#] 

Table 7.9. logging host Command Options

The following example enables logging to a remote syslog server with an IP address of 192.168.1.15 and specifies that each message sent should have a timestamp value appended to it:

 pixfirewall(config)# logging host inside 192.168.1.15 pixfirewall(config)# logging on pixfirewall(config)# logging timestamp pixfirewall(config)# 

Use the logging host command to direct log messages to a remote syslog server.

General Logging Commands

Several other logging commands are available. Table 7.9 displays a few of the most common commands.

Table 7.10. Logging Command Options

The logging timestamp command places a timestamp on messages before they are sent to a syslog server.