We have this Sun Solaris that we use for SYSLOG. Existing firewalls send warning level to this SYSLOG and it works great. We added a new firewall, I pointed the firewall to this SYSLOG server but nothing is being logged (windows KIWI works but not UNIX & I dont like KIWI). I am wondering what to do to fix this issue.. not sure what to look for or do... I went to /etc/syslog.conf and added the top line local5. The others were already there.
local5.debug /pix/dcpixlog
local4.debug /pix/pixlog
local3.debug /usr/log/cache/cachelog
local2.debug /var/log/ras/raslog
local1.debug /var/log/vpn/vpnlog
I then to /pix and see pixlog but not dcpixlog. I used touch to create a 0 size dcpixlog & tried restarting syslog but nothing gets logged. Can you please help?
What model are those firewalls? How are you pointing new firewall to Solaris logserver? Can you compare syslog configuration on old firewall with the new one?
Thank you for the response... These are Cisco ASA5585...same as the other firewalls. They both send logs to UNIX and KIWI syslog servers. KIWI gets the logs but it seems as in UNIX, you have to somehow make it accept logs (I am not sure if this statement is true or not). Here is the FW log config that works on UNIX...
logging enable
logging timestamp
logging console debugging
logging monitor debugging
logging buffered notifications
logging trap informational
logging history warnings
logging device-id context-name
logging host inside 10.213.208.41
logging host inside 10.213.9.10
!
Here is the log config on FW that does not work with UNIX (.208.41) & works with KIWI (9.10). The log levels are diff (notice: log facility)...
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging facility 22
logging device-id hostname
logging host inside 10.213.208.41
logging host inside 10.213.9.10
Well, I'm not familiar with CISCO firewalls configuration, but you might try setting the logging configuration on new firewall to match exactly the one on the old one. Additionally, can you post output of
ipfstat -io
from Solaris logserver (it will show if Solaris integrated firewall is setup)?
Thanks again. I ran the command but here is what I get.
$ ipfstat -io
ksh: ipfstat: not found
!
I suspect this has something to do with facility no. All my other firewalls dont mention facility no (I found by def they are 20 which is what UNIX is set to)..these FW are set to Facility 23. Would you know how I can find what facility is our UNIX running...also, is there a way, I can add new facility for this new FW so that I can run both facility 20 and 23? I check /etc/syslog.conf and dont see any mention of facility. Thank you!!!!
Did you run this command on Solaris machine? What does this say there:
uname -a
Here is the output:
$ uname -a
SunOS svariwnsl01 5.9 Generic_118558-34 sun4u sparc SUNW,Sun-Fire-V210
!
By the way, on the sun I ran "tail -f pixlog | grep 10.212." with no changes and of course no output...but the minute I logged into firewall and changed facility (no logg facility 22"), the UNIX started showing ton of syslog. So, it has to do with UNIX accepting default Syslog 20 facility and this firewall is set to 22. Since our HQ is set to pull logs via facility 22...is there a way to set the SYSLOG on Sun to pull both Facility 20 and Facility 22?
I'm not sure... Can you post full output of /etc/syslog.conf? Check this site: Configuring Cisco Devices to Use a Syslog Server > An Overview of the syslog Protocol | Cisco Press
Specifies the syslog facility number. Instead of specifying the name, the PIX uses a 2-digit number, as follows:
local0 - 16
local1 - 17
local2 - 18
local3 - 19
local4 - 20
local5 - 21
local6 - 22
local7 - 23
Thank you so much!!!!!!!! Do I do this on /etc/syslog.conf?? I looked and a part looks like this:
local5.debug /pix/dcpixlog
local4.debug /pix/pixlog
local3.debug /usr/log/cache/cachelog
local2.debug /var/log/ras/raslog
local1.debug /var/log/vpn/vpnlog
!
The local5 is what I added just a few days ago...The local1 and local2 are no longer used. Not sure about local3...local4 is most important that is all existing FW. Supposedly the local5 was for new FW. Do, I comment all above and add what you wrote?
Facility 22 on the new Cisco firewall means local6 facility in Solaris log server. You should add this to /etc/syslog.conf:
local6.debug /pix/new_firewall.log
Modify /pix/new_firewall.log file/path name to your liking. After that restart syslog:
/etc/init.d syslog stop
/etc/init.d syslog start
Thank you so much... I will try this now.
---------- Post updated at 04:46 PM ---------- Previous update was at 11:12 AM ----------
****bartus11**** God Bless you man.
All of my logging are working....Thank you so much for your help!!!!