LinuxQuestions.org - Cisco PIX syslog problems

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Cisco PIX syslog problems (https://www.linuxquestions.org/questions/linux-security-4/cisco-pix-syslog-problems-228652/)

jce23

09-09-2004 02:02 PM

Cisco PIX syslog problems

I had been using RH9 to capture the logs from our PIX. Since RH9 is no longer supported and were a primarily Novell shop, I went to SLES 8. Syslog is capturing the PIX logs, but SLES 8 is generating a TON of traffic through the PIX and out to the internet. It seems to be trying to build UDP translation paths for just about every port. A business day worth of logging can grow the file to ~1GB!!

Any ideas as to what may cause all this spurious traffic?

chort

09-09-2004 04:39 PM

What's the source port and destination port of the unexpected traffic? It might be trying to do DNS resolution on the hostname of the PIX every time it gets and entry via syslog. What you would see would be a nearly endless stream of traffic starting from high ports on your Linux box going to various hosts on the Internet destination port 53.

jce23

09-10-2004 07:43 AM

That's just the thing, I think if there was some consistency it might be easier to find the problem. The ports are incrementing on each new entry.
For example, 'built udp translation path from host/45678 to host/17455'.

chort

09-11-2004 12:11 AM

Hmmm, is all this traffic sourced from the Linux box? Is it possible that syslog.conf on the SuSE box just has a lower threshold set for logging? It seems like everything is being logged, when what you really want is just the warnings, alerts, etc... You should raise the threshold of what severity is logged.

jce23

09-13-2004 03:49 PM

chort,

First of all thanks for your insights into this matter. What fixed it was removing the *.* from a line in syslog.conf that I hadn't noticed before. The line had *.*;mail.none;news.none -/var/log/messages. I took the *.* out because I noticed that all the PIX's meesages were not only going to my file, but also to this one. For some reason, after taking it out and restarting syslog, all of the aforementioned garbage stopped logging.

I'm glad its fixed, but annoyed that I'm not sure why.

Thanks again,

JCE

chort

09-13-2004 04:15 PM

Well your syslog.conf was configured to log every message from every facility and at every severity level into /var/log/messages. A better configuration might be *.warning; (rather than *.*). Of course, if you have the PIX facility (whatever it is) going to a specific file, you won't want to do *.anything (to /var/log/messages) because that will always include the PIX messages. Read the man page for syslog.conf if you're still unclear.

All times are GMT -5. The time now is 06:46 AM.