[SGVLUG] PIX Logging to syslog
Joel Witherspoon
joel.witherspoon at gmail.com
Tue Apr 3 19:04:08 PDT 2007
Rebooted the syslog box. The Pix was correct, the syslog was not.
On 4/3/07, Claude Felizardo <cafelizardo at gmail.com> wrote:
>
> so which machine did you reboot? The FW or the syslog server? Is Pix
> a brand or or model? Did you change the if-eth0 on the FW or server?
>
> If you had to change the IP on the server and the FW was sending to
> the wrong IP, then consider using a broadcast address. You'll be able
> to capture the logs on any machine on the same subnet w/o having to
> touch the FW. This makes it easy to migrate to a new server - you
> can have as many as you want running at the same time, all capturing
> the logs. Remember that UDP isn't as expensive as TCP which has the
> overhead of setting up and tearing down connections.
>
> claude
>
>
>
> On 4/3/07, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> > Wow. Just...wow. I made a total rook mistake from the "Why didn't I
> think of
> > this before?" file. I had to change the IP address in
> > /etc/sysconfig/network-scripts/if-eth0 from DHCP to a
> > static IP. Rebooted the box; now it works fine. I need a drink.
> >
> >
> > On 4/3/07, Claude Felizardo <cafelizardo at gmail.com> wrote:
> > > On 4/2/07, Joel Witherspoon <joel.witherspoon at gmail.com> wrote:
> > > >
> > > > Are you sure you restarted syslogd after modifying your config
> files?
> > > >
> > > > Yep. Several times. Ran syslog -d as well. It doesn't show as
> writing to
> > a
> > > > file.
> > > >
> > > > Do you have a local local firewall on your receiving server? I use
> > > > shorewall so I had to add an explicit rule to allow udp 514 packets.
> > > >
> > > > Took iptables down. SELinux isn't even installed. I can see the UDP
> > traffic
> > > > coming in, but I can't get it to write to file.
> > >
> > > [snip]
> > >
> > > Okay, just going through a check list here. Are you sure there is
> > > space on the device? Permission problems? mounted read-only?
> > >
> > > perhaps there's an error in your config file. Are any of the other
> > > logs being updated? Here's are my entries for my router:
> > >
> > > ## log router messages
> > > local6.*
> > > -/var/log/router.log
> > > local6.* /dev/tty11
> > >
> > > I believe the dash prefixed to the filename means syslogd should flush
> > > after each write to prevent messages from getting lost during a crash.
> > > Probably not needed and should not be used for a high rate log.
> > >
> > > regarding iptables. with shorewall, even if you shut it down, it
> > > still leaves some default rules that filter things out. Have you
> > > tried a simple reboot? Perhaps something else got hosed?
> > >
> > > claude
> > >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20070403/fe096af4/attachment.html
More information about the SGVLUG
mailing list