Cisco PIX Logging: Debugging to Emergency

Posted February 9, 2007 by aaronm in Cisco firewall

This article is an outline of how to set up logging on your PIX, viewable to a syslog or through the show log statement. This information is targeted toward the more recent versions of PIX IOS, the older versions run along the same concept but have some different commands.

Logging is rated on 8 different levels. “0” or Emergency is for catastrophic errors like shutdown or loss of connectivity to the inside. Level “7” is debugging information, REALLY in-depth information on even the smallest detail. Debugging should only be used for short periods of time to isolate an issue because it generates so much information. Whatever logging level you use, it will automatically log the lower levels as well. For example, a good place to start is logging level 4 or the warning level. A good thing to remember is when you set logging 4, you get levels 3, 2, 1 and 0, as well.

0 – Emergency
1 – Alert
2 – Critical
3 – Error
4 – Warning
5 – Notification
6 – Informational
7 – Debugging

Next, is the logging facility. The PIX can have eight different logging facilities or “profiles”. For example, you can set up logging facility 1 as your normal, everyday syslog information. You set the LEVEL inside the logging facility, so lets use level 4 for this example. Well, say you want just catastrophic messages sent directly to another computer, so you set a different “profile” (i.e. local2) to report level 0 messages. You don’t need to set this specifically if you want to use just one profile, it will default to a generic “local0” I think.

Make sense?

Next, if you want to know what time the errors occur, you need to set time-stamping (Explained below). Logging can be displayed a couple different ways. Traps are sent to a syslog host, they also keep a copy in the buffer of the pix. Also, you can set the messages to scroll across the screen (extremely annoying), in fact when you first set the device up, its the default. Now to wrap it all up, get into global config and :

logging on
* turns logging on, (duh!), I think it also defaults to level 3 for messages.

logging host inside
* the IP of the syslog server you are sending this info to and the interface (inside in this case) that it is through.

logging timestamp
* attaches a time to the message

logging buffered error
* the highest level of messages that will be kept in the buffer (level 3 or “error” in this case)

logging trap warning
* the highest level of messages to be sent to the syslog server (level 4 or “warning” in this case)

show log
* this will show you a recent list of messages in the buffer of the PIX

show logging
* will show you your current logging settings

clear log
* clear the messages in the buffer

In conclusion, this should get you up and going as far as logging on a pix. There’s a lot more you can do with this and I’d suggest getting on to further explore the topic, hopefully this gets you up and going.

Good luck!

The Conversation

Follow the reactions below and share your own thoughts.