PIX syslog issue

In article , captain Zod wrote: :Anyhow I am having issues with syslog on my pix 6.3. It does not send :to my linux syslogd.

Linux syslogd has to be specifically configured to allow syslog from remote devices. I do not know the appropriate command line options for this purpose.

:I ran tcpdump and was not seeing anything.

:Pix config: :logging on :logging timestamp :logging buffered warnings :logging trap debugging :logging host inside 10.60.2.129 :no logging message 111005

That should generally work, provided that the remote system is willing to receive the packets (and is reachable.)

:syslog.conf: :local6.debug /var/log/level6

You have not put in a 'logging facility' statement into your configuration. The default is not loca6 but rather local4 . For local6, you would need

logging facility 22

:Any ideas? :I also see the line below in my syslog.conf: :local7.* /var/log/boot.log :The comment says that this is for boot logging. Why is this? It should :get a lot more info than just boot with that * .

That's getting a bit off topic for the cisco newsgroup, but the answer is that it would get all messages directed to the facility local7 . The implication of the comment is that the only things that would

-normally- send with facility local7 are the boot messages. Of course if you configure something else to send to local7 then that'd show up in the boot.log file as well.

So sorry. I did have the line: logging facility 22 in my pix config.

:logging on :logging timestamp :logging buffered warnings :logging trap debugging :logging facility 22 :logging host inside 10.60.2.129 :no logging message 111005

I also have the syslogd running with -r option to receive messages. Though tcpdump filtered for the ip of the pix, does not show anything coming from the pix. So I really think the problem is on the pix side.

In article , captain Zod wrote: :So sorry. I did have the line: logging facility 22 in my pix config.

::logging trap debugging ::logging facility 22 ::logging host inside 10.60.2.129

:I also have the syslogd running with -r option to receive messages. :Though tcpdump filtered for the ip of the pix, does not show anything :coming from the pix. So I really think the problem is on the pix side.

Or it could be coming from a different IP address than you expect. Try filtering on udp 514 (syslog) .

On the PIX side, you could set up an ACL matching syslog to the remote system, and set up a capture to see what is going out

access-list caplog permit udp any host 10.60.2.129 eq 514 capture logcap access-list caplog interface inside

Then show capture logcap will show you the matching packets. Add the parameter 'detail' for more information. The captured packets can also be exported in pcap format for external analysis.

I have not -observed- a PIX failing to syslog, provided that there is a proper route to the log host.

This is interesting. I did as you said, and I don't get any matching output: sho access-list caplog access-list caplog; 1 elements access-list caplog line 1 permit udp any host 10.60.2.129 eq syslog (hitcnt=0) sho capture logcap 0 packet captured 0 packet shown

Before I issue this commands I did a write mem which I believe should have generated syslog stuff. So I do think that the pix is not sending syslog!