Saturday 24 September 2016

Pix - logging to syslog

I wanted my Pix to log to the system log on one of my servers. I thought it would be simple, but there were several things I had to get right.

On the Pix, you set the clock with

clock set 19:15:00 September 24 2016

On the Pix you tell it where you're going to log to

logging host inside xantl-in

and to timestamp the logs

logging timestamp

And that you want everything from warnings (usually some access that was denied) up to emergencies ("Your pix has caught fire" - no, I don't think there's a message for that).

logging trap warnings

So now, my Pix was sending all these messages to my server named xantl. Next, I had to tell xantl to listen out for them. To do that, I edited /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Actually, those commands were already there, but commented out, so I just removed
the # in front of them.


systemctl restart syslog

and the pix logs started appearing in /var/log/messages, which is where syslog puts everything. But I didn't want them all mixed up with the other messages, I want them in their own file. So I edited /etc/rsyslog.conf again

if $programname contains '%PIX-' then /var/log/pixlog
if $programname contains '%PIX-' then stop

And again systemctl restart syslog. And now all the pix logs go to /var/log/pixlog

There's going to be a lot of them! So I'll rotate the logs; a new log each week.  To do that, I edited /etc/logrotate.d/syslog and added:


at the start of the file.

So now  all the pix messages are saved on my server, and I can check them to see that everything is as I want it to be.

Job done!

Jpb done!

No comments:

Post a Comment