Logging to FreeBSD Syslog
Logging to a FreeBSD syslog server is easy…
First you want to enable NTP on the PIX to keep the clock synced:
Select a couple of appropriate time servers near you. You can get a list here.
Then use the following syntax:
[no] ntp server ip_address [key number] source if_name [prefer]
NTP authentication is optional and if you use public NTP server it is not necessary. For a full explanation of NTP usage on a PIX, go here.
In my situation I used the following to sync with tick and tock.usno.navy.mil:
ntp server 192.5.41.40 source outside prefer
ntp server 192.5.41.41 source outside
To enable logging on the pix, use the following commands:
logging on
logging timestamp
logging standby
logging monitor level
logging trap level
logging facility facility
logging host inside IP of syslog server
Now set up your FreeBSD box to sync time by installing the latest Network Time Protocol Distribution (in my case, ntp-4.2.0_1):
cd /usr/ports/net/ntp-4.2.0_1
make && make install dist clean
Then create a configuration file for NTP:
ee /etc/ntp.conf
My ntp.conf file reads (and matches the NTP servers my PIX use):
server 192.5.41.40 prefer
server 192.5.41.41
driftfile /etc/ntp.drift
Then set NTPD to launch through /etc/rc.conf by adding the following line:
ntpd -c /etc/ntp.conf
While you’re editing it, add the following line to /etc/rc.conf:
syslogd_flags="-a 192.168.98.253 -a 192.168.99.253 -a 192.168.100.253"
The -a switch authorizes the IP to send snmp traps to the syslog server. For every PIX you want to be able to send traps, you should include a seperate -a switch. In the above example, three PIX can send syslog traps.
If you are going to monitor multiple PIX, the best way to do this is set each PIX to send different SNMP facility levels. The default facililty is local4 (20). To change this, use the following command in your PIX:
logging facility facility
PIX uses two digit numbers to indicate the facility. 16 = local0, 17 = local1, 18 = local2, etc.
Once you have your PIX sending as unique facility levels, you need to tell your syslog to file each facility into its own log file. This way you can have seperate log files for each PIX.
edit /etc/syslog.conf using vi because other editors may introduce spaces, which might interfere with syslogs performance.
At the top of syslog.conf add lines similar to the following for each PIX:
local6.alert;local6.crit;local6.err           /var/log/lapix/lapix.log
local6.debug;local6.info                       /var/log/lapix/lapix.info.log
In the above entry, I tabbed between fields. I’ve also specified what message IDs I want to go to what log file. I do this because some of my firewalls are chatty and the log files can grow to 120 MB + and take a while to grep through. By splitting up the log files, I can grep and awk through them much quicker.
Once you have made changes to syslog.conf, issue the following command to have syslog restart with the new configs:
killall -HUP syslogd
To rotate logs every night at midnight, I use /etc/newsyslog.conf. Place the following entries in your newsyslog.conf:
/var/log/lapix/lapix.log 644 365 * @T00 Z
This will rotate your logs at midnight and gzip the old logs to save space. If you are going to monitor multiple PIX, I strongly recommend setting a naming convention similar to the above for the log files. This will make writing log report scripts much easier.
Now we have a syslog server receiving our pix logs, filing them in a seperate log file for each PIX and additionally seperating each PIX’s log file into seperate categories (if desired, but not necessary).
Now we can write shell scripts to parse through our PIX logs and generate HTML reports of what is going on with our PIX. I’m developing some Kiwi-like reports for mine that give me a “big picture” view of the health of all of my PIX firewalls. Once I have it polished I’ll post it.
[...] I have always been a huge proponent of logging and monitoring. I even stated as such in my counter post to Richard. He just failed to read that part. [...]