[SGVLUG] PIX Logging to syslog

Joel Witherspoon joel.witherspoon at gmail.com
Mon Apr 2 21:46:41 PDT 2007


Are you sure you restarted syslogd after modifying your config files?

Yep. Several times. Ran syslog -d as well. It doesn't show as writing to a
file.

Do you have a local local firewall on your receiving server?  I use
shorewall so I had to add an explicit rule to allow udp 514 packets.

Took iptables down. SELinux isn't even installed. I can see the UDP traffic
coming in, but I can't get it to write to file.

On 4/2/07, Claude Felizardo <cafelizardo at gmail.com> wrote:
>
> On 3/30/07, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> > Hey all, I need some help.
> >
> > I have a Pix FW using Local4.warning on UDP 514 and I want to send it to
> a
> > log file on my CentOS Linux server using Splunk. Syslog starts with the
> > options -m 0 -r. I've config'd the syslog to send Local4.* to
> > /var/log/pix.log. The Pix sends the syslog to the server and it shows in
> > Splunk as a UDP source, but I can't log the info to the file. I've tried
> > debug using syslogd -d with no errors or traffic on, or to, that file.
> >
> > Here's the file information and rights.
> > -rw-r--r--  1 root root 0 Mar 29 15:52 pix.log
> >
> > and the line from syslog.conf
> >
> > # Log messages from the Pix Firewall
> > local4.*
> > /var/log/pix.log
> >
> > Any help or insight would be much appreciated.
> >
>
> Don't know what Splunk is but I do something similar on my Mandriva
> machines.
>
> Are you sure you restarted syslogd after modifying your config files?
>
> Do you have a local local firewall on your receiving server?  I use
> shorewall so I had to add an explicit rule to allow udp 514 packets.
>
> btw, from my router, I do a broadcast (last octet is 255) so any
> machine listening to the syslog udp port will get the log messages.
> The idea is to hide the IP of the logging machine so if someone breaks
> into your FW, they won't necessarily know where to look for the remote
> logger.
>
> Oh, another thing I do is send a copy of the logs to /dev/tty11 so I
> can switch to that console and look at the last screen's worth of
> logs.  But watch out, i think I crashed the my server once when I left
> it on tty11.   Not sure if I had hit scroll lock before going to bed
> and the kernel panicked when it ran out of buffers or perhaps it was
> when I was sharing the monitor with my desktop with one of those KVM
> switches and my wife started hitting keys at random to swap computers.
> I've since put the server in another room w/ a dedicated monitor.
>
> claude
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20070402/9a237654/attachment.html


More information about the SGVLUG mailing list