LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-09-2004, 03:02 PM   #1
jce23
LQ Newbie
 
Registered: Sep 2004
Posts: 4

Rep: Reputation: 0
Cisco PIX syslog problems


I had been using RH9 to capture the logs from our PIX. Since RH9 is no longer supported and were a primarily Novell shop, I went to SLES 8. Syslog is capturing the PIX logs, but SLES 8 is generating a TON of traffic through the PIX and out to the internet. It seems to be trying to build UDP translation paths for just about every port. A business day worth of logging can grow the file to ~1GB!!

Any ideas as to what may cause all this spurious traffic?
 
Old 09-09-2004, 05:39 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
What's the source port and destination port of the unexpected traffic? It might be trying to do DNS resolution on the hostname of the PIX every time it gets and entry via syslog. What you would see would be a nearly endless stream of traffic starting from high ports on your Linux box going to various hosts on the Internet destination port 53.
 
Old 09-10-2004, 08:43 AM   #3
jce23
LQ Newbie
 
Registered: Sep 2004
Posts: 4

Original Poster
Rep: Reputation: 0
That's just the thing, I think if there was some consistency it might be easier to find the problem. The ports are incrementing on each new entry.
For example, 'built udp translation path from host/45678 to host/17455'.
 
Old 09-11-2004, 01:11 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Hmmm, is all this traffic sourced from the Linux box? Is it possible that syslog.conf on the SuSE box just has a lower threshold set for logging? It seems like everything is being logged, when what you really want is just the warnings, alerts, etc... You should raise the threshold of what severity is logged.
 
Old 09-13-2004, 04:49 PM   #5
jce23
LQ Newbie
 
Registered: Sep 2004
Posts: 4

Original Poster
Rep: Reputation: 0
chort,

First of all thanks for your insights into this matter. What fixed it was removing the *.* from a line in syslog.conf that I hadn't noticed before. The line had *.*;mail.none;news.none -/var/log/messages. I took the *.* out because I noticed that all the PIX's meesages were not only going to my file, but also to this one. For some reason, after taking it out and restarting syslog, all of the aforementioned garbage stopped logging.

I'm glad its fixed, but annoyed that I'm not sure why.

Thanks again,

JCE
 
Old 09-13-2004, 05:15 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well your syslog.conf was configured to log every message from every facility and at every severity level into /var/log/messages. A better configuration might be *.warning; (rather than *.*). Of course, if you have the PIX facility (whatever it is) going to a specific file, you won't want to do *.anything (to /var/log/messages) because that will always include the PIX messages. Read the man page for syslog.conf if you're still unclear.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco PIX and fwlogwatch zuessh Linux - Security 1 10-19-2005 06:16 PM
Mrtg+Cisco PIX pudhiyavan Linux - Networking 4 04-11-2005 03:58 AM
I know this is off subject (cisco pix 501) phatboyz Linux - Security 0 10-18-2004 04:56 PM
Configuring /etc/syslog for Cisco PIX triley Linux - General 0 07-02-2004 11:28 AM
PIX to linux syslog daemon neoflea Linux - Networking 1 09-10-2003 05:58 PM


All times are GMT -5. The time now is 10:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration