[SGVLUG] PIX Logging to syslog
Claude Felizardo
cafelizardo at gmail.com
Tue Apr 3 16:04:33 PDT 2007
so which machine did you reboot? The FW or the syslog server? Is Pix
a brand or or model? Did you change the if-eth0 on the FW or server?
If you had to change the IP on the server and the FW was sending to
the wrong IP, then consider using a broadcast address. You'll be able
to capture the logs on any machine on the same subnet w/o having to
touch the FW. This makes it easy to migrate to a new server - you
can have as many as you want running at the same time, all capturing
the logs. Remember that UDP isn't as expensive as TCP which has the
overhead of setting up and tearing down connections.
claude
On 4/3/07, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> Wow. Just...wow. I made a total rook mistake from the "Why didn't I think of
> this before?" file. I had to change the IP address in
> /etc/sysconfig/network-scripts/if-eth0 from DHCP to a
> static IP. Rebooted the box; now it works fine. I need a drink.
>
>
> On 4/3/07, Claude Felizardo <cafelizardo at gmail.com> wrote:
> > On 4/2/07, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> > >
> > > Are you sure you restarted syslogd after modifying your config files?
> > >
> > > Yep. Several times. Ran syslog -d as well. It doesn't show as writing to
> a
> > > file.
> > >
> > > Do you have a local local firewall on your receiving server? I use
> > > shorewall so I had to add an explicit rule to allow udp 514 packets.
> > >
> > > Took iptables down. SELinux isn't even installed. I can see the UDP
> traffic
> > > coming in, but I can't get it to write to file.
> >
> > [snip]
> >
> > Okay, just going through a check list here. Are you sure there is
> > space on the device? Permission problems? mounted read-only?
> >
> > perhaps there's an error in your config file. Are any of the other
> > logs being updated? Here's are my entries for my router:
> >
> > ## log router messages
> > local6.*
> > -/var/log/router.log
> > local6.* /dev/tty11
> >
> > I believe the dash prefixed to the filename means syslogd should flush
> > after each write to prevent messages from getting lost during a crash.
> > Probably not needed and should not be used for a high rate log.
> >
> > regarding iptables. with shorewall, even if you shut it down, it
> > still leaves some default rules that filter things out. Have you
> > tried a simple reboot? Perhaps something else got hosed?
> >
> > claude
> >
>
>
More information about the SGVLUG
mailing list