Extensive Logging Capabilities

PIX allows extensive logging to take place for traffic flowing through it. show commands and packet dumps can also be used to obtain extensive information on the traffic flowing through the PIX. However, for normal circumstances, system logs sent to a syslog server are often sufficient for tracking malicious activity on a network. In addition to giving an insight into any malicious activity, the syslog messages are also a source of debugging information for troubleshooting PIX configuration issues. A PIX Firewall records the following types of syslog messages:

• Connection events (for example, connections denied by the PIX Firewall configuration or address translation errors)

• AAA (authentication, authorization, and accounting) events

• Failover events reported by one or both units of a failover pair

• FTP/URL events (for example, successful file transfers or blocked Java applets)

• Mail Guard/SNMP events

• PIX Firewall management events (for example, configuration events or Telnet connections to the PIX Firewall console port)

• Routing errors

The syslog messages can be sent to the PIX console, a Telnet session, or a logging server. The amount of information displayed when the messages are sent to the console is limited as compared to the information sent to the logging server. A general strategy is to use the syslog messages appearing on the console for basic debugging needs and to use the syslog server if more-detailed information on individual messages is needed.

PIX conforms to the standard syslog logging levels:

0—Emergency. System unusable message.

1—Alert. Take immediate action.

2—Critical condition.

3—Error message.

4—Warning message.

5—Notification. Normal but significant condition.

6—Informational message.

7—Debug message, log FTP command, or WWW URL. Enabling logging at any level enables logging for all levels up to that level.

Individual messages within a specific logging level can be disabled so that routine messages don't inundate the syslog file. PIX logs can be sent to any standard syslog server, including the PIX Firewall syslog server, the PIX Firewall manager, and Cisco Security Manager. Some commercially available software, such as Private Eye, also allow extensive reporting to be done on the syslog messages generated by the PIX Firewall.

PIX Firewall also can act as an Inline Intrusion Detection System (IDS) and send logging messages related to this functionality. See Chapter 15, "Cisco Secure Intrusion Detection," for information on how PIX performs this role.

0 0

Post a comment