When syslog messages are sent to a server, it is important to indicate through which pipe the Security Appliance will send the messages. The single syslog service, syslogd, can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe through which the information arrives. Syslogd is a daemon/service that runs on UNIX machines. In this analogy, the logging facilities are the pipes by which syslogd decides where to send information it receives—that is, to which file to write. Eight logging facilities (16 through 23) are commonly used for syslog on the Cisco Security Appliance. On the syslog server, the facility numbers have a corresponding identification— local0 to local7. The following are the facility numbers and their corresponding syslog identification:
■ local0 (16)
■ local1 (17)
■ local2 (18)
■ local3 (19)
■ local4 (20)
■ local5 (21)
■ local6 (22)
■ local7 (23)
The default facility is local4 (20). To change the default logging facility on the Security Appliance, you use the logging facility facility command. The following command shows the logging facility changed to 21:
Pix(config)# logging facility 21
Logging Levels
Different severity levels are attached to incoming messages. You can think of these levels as
indicating the type of message. A Security Appliance can be configured to send messages at
different levels.
The level you specify causes the Cisco Security Appliance Firewall to send the messages of that level and below to the output location. For example, if you specify severity level 3 (error), a Security Appliance, such as the PIX, sends severity level 0 (emergency), 1 (alert), 2 (critical), and 3 (error) messages to the output location.
Configuring a Syslogd Server
Because syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the non-UNIX syslog server, refer to the vendor’s documentation.
To configure syslog on UNIX, follow these steps:
Step 1 On SunOS, AIX, HPUX, or Solaris, as root, make a backup of the /etc/ syslog.conf file before modifying it.
Step 2 Modify /etc/syslog.conf to tell the UNIX system how to sort out the syslog messages coming in from the sending devices—that is, which logging-facility.level goes in which file. Make sure there is a tab between the logging-facility.level and file-name.
Step 3 Make sure the destination file exists and is writable.
Step 4 The #Comment section at the beginning of syslog.conf usually explains the syntax for the UNIX system.
Step 5 Do not put file information in the ifdef section.
Step 6 As root, restart syslogd to pick up changes.
For example, if /etc/syslog.conf is set for local7.warn /var/log/local7.warn
warning, error, critical, alert, and emergency messages coming in on the local7 logging facility are logged in the local7.warn file. Notification, informational, and debug messages coming in on the local7 facility are not logged anywhere.
No comments:
Post a Comment