[SGVLUG] PIX Logging to syslog

[Claude Felizardo]

On 3/30/07, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> Hey all, I need some help.
>
> I have a Pix FW using Local4.warning on UDP 514 and I want to send it to a
> log file on my CentOS Linux server using Splunk. Syslog starts with the
> options -m 0 -r. I've config'd the syslog to send Local4.* to
> /var/log/pix.log. The Pix sends the syslog to the server and it shows in
> Splunk as a UDP source, but I can't log the info to the file. I've tried
> debug using syslogd -d with no errors or traffic on, or to, that file.
>
> Here's the file information and rights.
> -rw-r--r--  1 root root 0 Mar 29 15:52 pix.log
>
> and the line from syslog.conf
>
> # Log messages from the Pix Firewall
> local4.*
> /var/log/pix.log
>
> Any help or insight would be much appreciated.
>

Don't know what Splunk is but I do something similar on my Mandriva machines.

Are you sure you restarted syslogd after modifying your config files?

Do you have a local local firewall on your receiving server?  I use
shorewall so I had to add an explicit rule to allow udp 514 packets.

btw, from my router, I do a broadcast (last octet is 255) so any
machine listening to the syslog udp port will get the log messages.
The idea is to hide the IP of the logging machine so if someone breaks
into your FW, they won't necessarily know where to look for the remote
logger.

Oh, another thing I do is send a copy of the logs to /dev/tty11 so I
can switch to that console and look at the last screen's worth of
logs.  But watch out, i think I crashed the my server once when I left
it on tty11.   Not sure if I had hit scroll lock before going to bed
and the kernel panicked when it ran out of buffers or perhaps it was
when I was sharing the monitor with my desktop with one of those KVM
switches and my wife started hitting keys at random to swap computers.
 I've since put the server in another room w/ a dedicated monitor.

claude