Cisco PIX Configuration- Syslog Support

PIX 4.0.x-4.1.x

• syslog host #.#.#.# (where #.#.#.# is the syslog servers address)

• syslog output X.Y (where X is the logging facility and Y is the level)

How does the X number translate to logging facility?

• We break down the X number into binary. The last 4 bits comprise the local facility.

  • 16 = 00010000 = local0

  • 17 = 00010001 = local1

  • 18 = 00010010 = local2

  • 19 = 00010011 = local3

  • 20 = 00010100 = local4

  • 21 = 00010101 = local5

  • 22 = 00010110 = local6

  • 23 = 00010111 = local7

• As an example, since 22 = 00010110, and the last4bits=0110=decimal 6, this is local6. (A shortcut is to take the X value and subtract 16. For example, 22-16=6, or local6.)

  The Y number is the level. As an example, if Y=2, messages sent would include those at level 2 (critical), level 1 (alert), and level 0 (emergency). The PIX levels are 0-7; these should not be confused with the logging facilities (which are local0-local7).

Examples for PIX 4.0.x-4.1.x

• syslog 20.7

  20 equals local4 logging facility.

  .7 is the level. 7 means debug to the PIX, that is, all messages will be logged.

• syslog 23.2

  23 equals local7 logging facility

  .2 is the level. 2 means critical to the PIX, that is, critical, alert, and emergency messages will be logged.

PIX 4.2.x and later

The syntax for syslog changed in PIX Software releases 4.2.x. Instead of the syslog host #.#.#.# command, use the new logging host #.#.#.# command. In 4.2.x, the logging facility and level definitions are the same, but instead of using the syslog output X.Y command, you need to have the following two statements.

• logging facility X

• logging trap Y

The level is no longer expressed as a number; it is expressed as the name of the level. An example is below.

• old syntax

  syslog output 20.7

• new syntax

  logging facility 20 (local4)

  logging trap debugging (debugging through emergency)

PIX 4.3.x and later

In 4.3.x and greater, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent.

In addition to the following commands:

• logging host #.#.#.#

• logging facility X

• logging trap Y

you can issue these commands.

• clock set 13:18:00 Apr 25 1999

• logging timestamp

• no logging message 111005

This results in having all messages, except message 111005 (that is, "End configuration"), sent with timestamps.

Note: Because the 111005 message is a Notification level message, it would not be seen if the level on the PIX was set for Emergency, Alert, Critical, Error, or Warning.

An example of a time-stamped non-111005 message follows. (The first timestamp is from our UNIX server and the second is from the PIX.)

Apr 25 13:15:35 10.31.1.53 Apr 25 1999 13:23:00: %PIX-5-111007: Begin configuration: nobody reading from terminal

In PIX Software versions 4.3.x and later, you can also do TCP syslog. PFSS supports this; most other syslog servers do not support it without reconfiguration. The command to enable PIX to do PFSS TCP logging is logging host #.#.#.# tcp 1740

Note: Because this traffic is TCP (that is, with acknowledgments), if the PFSS goes down, traffic through the PIX will stop; for that reason, the tcp syslog command should not be implemented unless you need this kind of functionality! UDP/514 syslogging does not have this effect.