Hi,
I recently set up IDS on my PIX 525, and it appears to be doing what it's able to do... however, the only way I'm able to see any IDS logs is by doing a "show syslog". I have a syslog server setup using kiwi, and I'm able to pick up logs in there, but nothing for IDS. Is there some setting I might be missing thats causing it not to log IDS while it logs other things? Thanks in advance!
logging trap debug
That should do the trick!
Wil my 3¢
And do the trick it did! Thanks very much!
Right now though, it's trapping so much info, I'm wondering if I might need to shut it off soon. I assume logging debug isn't typically done on a continuous basis but more for troubleshooting?
Didn't see the cross post before...
Logging is good, m'kay :)
I've used kiwi in the past and if I recall correctly you can set it up to capture the logs and zip them up somewhere safe at the end of the day.
If you still think that it's too much info, take some of the messages out. "no logging message XXXXXXX"
At the present I believe that I'm getting a bit more than 100megs per pix per day, get's quite cumbersome at times but we've got it to the point that it get's logged, gets compressed, gets backed up to tape and gets sent off site. I used to take out some of the messages because of the size of the logs but found myself in a position that I needed to do some forensics and didn't have the information that I needed. IMHO diskspace is much less expensive than not having your logs.
Wil my 3¢
Jon wrote on Wed, 21 Dec 2005 00:08:23 -0600:
On my 5.3 PIX 515 all IDS messages are sent at Warning level. I have a filter in Kiwi dumping these to a separate file to make it easier to trawl through them. Have you created "alarm" actions as well as drop/reset actions for your IDS audits?
Dan
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.