Cisco PIX Logging: Debugging to Emergency
This article is an outline of how to set up logging on your PIX, viewable to a syslog or through the show log statement. This information is targeted toward the more recent versions of PIX IOS, the older versions run along the same concept but have some different commands.
Logging is rated on 8 different levels. “0″ or Emergency is for catastrophic errors like shutdown or loss of connectivity to the inside. Level “7″ is debugging information, REALLY in-depth information on even the smallest detail. Debugging should only be used for short periods of time to isolate an issue because it generates so much information. Whatever logging level you use, it will automatically log the lower levels as well. For example, a good place to start is logging level 4 or the warning level. A good thing to remember is when you set logging 4, you get levels 3, 2, 1 and 0, as well.
0 – Emergency
1 – Alert
2 – Critical
3 – Error
4 – Warning
5 – Notification
6 – Informational
7 – Debugging
Next, is the logging facility. The PIX can have eight different logging facilities or “profiles”. For example, you can set up logging facility 1 as your normal, everyday syslog information. You set the LEVEL inside the logging facility, so lets use level 4 for this example. Well, say you want just catastrophic messages sent directly to another computer, so you set a different “profile” (i.e. local2) to report level 0 messages. You don’t need to set this specifically if you want to use just one profile, it will default to a generic “local0″ I think.
Next, if you want to know what time the errors occur, you need to set time-stamping (Explained below). Logging can be displayed a couple different ways. Traps are sent to a syslog host, they also keep a copy in the buffer of the pix. Also, you can set the messages to scroll across the screen (extremely annoying), in fact when you first set the device up, its the default. Now to wrap it all up, get into global config and :
* turns logging on, (duh!), I think it also defaults to level 3 for messages.
logging host inside xxx.xxx.xxx.xxx
* the IP of the syslog server you are sending this info to and the interface (inside in this case) that it is through.
* attaches a time to the message
logging buffered error
* the highest level of messages that will be kept in the buffer (level 3 or “error” in this case)
logging trap warning
* the highest level of messages to be sent to the syslog server (level 4 or “warning” in this case)
* this will show you a recent list of messages in the buffer of the PIX
* will show you your current logging settings
* clear the messages in the buffer
In conclusion, this should get you up and going as far as logging on a pix. There’s a lot more you can do with this and I’d suggest getting on cisco.com to further explore the topic, hopefully this gets you up and going.
Follow the reactions below and share your own thoughts.