Configuring syslog on Cisco PIX
Cisco’s PIX is a well
known firewall appliance. It is highly scalable, from a small office or home
environment to an enterprise environment. PIX is very widely used.
In this tutorial,
we concentrate on configuring PIX via the graphical user interface, the PIX
Device Manager (PDM). If you would like to setup the PIX via the command line,
we recommend Cisco's PIX documentation at http://www.cisco.com/warp/public/110/pixsyslog.html.
Cisco’s PIX supports syslog over both TCP and UDP.
While MonitorWare Agent and WinSyslog support both of these protocols, we will focus on UDP in our
tutorial as this is the standard protocol. Therefore, if you would
like to consolidate logs from multiple devices and one of them is PIX, you will
probably take the syslog over UDP route.
PIX can be configured using either a
command line interface or the so-called PIX Device Manager (PDM), an HTML
configuration application that comes with the PIX. Typically, PDM is used and as
such we focus on it in our tutorial.
start PDM by pointing your Java-Enabled web browser to the PIX. Important: Use a
HTTPS URL. This is badly documented by Cisco. Using http instead of https
will cause your connection to fail! If, for example you PIX has the internal IP
address of 172.16.0.1, use the following URL:
this is done, the PDM opens. Most probably, a number of Java security and
certificate related questions open. Please allow the product to proceed. Also, a
number of browser windows open. Finally, you should see a window similar to the
PDM Start Screen
switch to the system properties tab:
expand “Logging” in the treeview and then select “Logging Setup”. A
screen similar to this one appears:
sure the “Enable Logging” box is checked as in the screenshot. Then, select
“Syslog” in the treeview. This brings you to the page where syslog servers
can be configured:
above example, no server is configured so far. This is the default setting for a
freshly installed PIX. We will now configure a syslog server at IP 172.19.0.2.
Press “Add” and the following dialog appears:
your syslog server will reside on the internal network. As such, leave the
interface at “inside”. Then enter the IP Address of your syslog server into
the field “IP Address”. In the screenshot, this has already been done. Next,
make sure UDP is selected as protocol. The port value of 514 is the default and
also the standard. There should be little need to modify it. If you do, make
sure you fully understand the implications as a wrong port can disrupt traffic.
course, if you would like to use TCP logging, you can do so. However, in this
case MonitorWare Agent must be configured to have at least one syslog listener
running at the specified TCP port. Also,
please note that other products do typically not support syslog over TCP and as
such, messages from these devices cannot be received by a syslog over TCP
configuring the syslog settings, be sure to press OK to return to the PDM main
you can modify the syslog facility and level as well as include a PIX timestamp
– see settings on the right.
the configuration you have created has not been saved so far! To save it, you must press the “Apply to PIX” button. Depending on
your configuration and PIX model, the “Apply” can take some time.
the “Apply” is finished, you see the following screen:
note the new "Save to Flash Needed" button. This one can easily be
overlooked. When it is present, a new PIX configuration has been created but not
permanently saved on the PIX. So you need
to press “Safe to Flash Needed” in order to complete your configuration!
If you forget the step, the PIX will either not forward syslog messages at all
or stop doing so after the next PIX reboot.
sure that you see the following dialog before continuing:
concludes the basic configuration of your PIX. You should now receive syslog
messages on the configured syslog server. You can now close Cisco’s PDM. Of
course, you can return at any time to change configuration settings or enable
syslog messages to additional syslog servers you have created.
Interested in analyzing PIX firewall logs? MonitorWare Console is an analytical tool
which comes with a PIX firewall reporting module.
Still problems enabling syslog? Find the solution in our
forum or post a question there!
Syslog messages generated by these products can be received
by MonitorWare Agent and
All information in this section is to the best of our knowledge but without warrenty of
any kind. This is free information - use it at your sole risk.
[Back to Syslog Enabled