 |
You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>PluginManagement>ConfigureLogForwardingOnCommonlyUsedDataSources>CiscoPIX (28 Jun 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next Sheriff CSMâ„¢
When you set a logging level, all messages with the same classification number (and lower) are output to the Syslog server that collect these messages. In addition, with many of these devices, you can also limit the rate or amount of syslog message volume that is output.
Note: Refer to the vendor documentation provided for your specific device, on the logging commands that are available, and how to use them to control Syslog message output.
By default, most Cisco devices are configured at notification (5) or informational (6) levels for Syslog messages directed to Sheriff CSM. (Logging level 7 is not recommended for Syslog message output.) However, you may want to monitor the volume of messages that you are receiving from any particular device, particularly if the logging level is set at informational (6), because storage space can become an issue. You can also determine whether collecting any informational messages contributes significantly to your security monitoring efforts, or is just creating a lot of "noise".
Previous Next Sheriff CSMâ„¢
Cisco PIX
When you configure Cisco PIX to send log data to Sheriff CSM, you can use the Cisco PIX plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin: Plugin Information| Device | Details |
|---|---|
| Vendor | Cisco |
| Device Type | Firewall |
| Connection Type | Syslog |
| Data Source Name | cisco-pix |
| Data Source ID | 1514 |
Integrating Cisco PIX
Before you configure the Cisco PIX integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy). To configure Cisco PIX to send log data to Sheriff CSM-
Connect to the PIX system and enter:
CONFIG T
-
Enable logging:
logging on logging trap debugging logging host {inside|outside|xi} <IP address of the Sheriff CSM Sensor> no logging timestamp - Press Ctrl+Z to exit config mode.
-
Save the configuration changes:
write mem
| Logging Level | Keyword/Severity Level | Description |
| 0 | emergency | System is unusable. Typically devices do not generate Sylog messages with a severity/logging level of 0. |
| 1 | alert | Immediate action is needed. These messages indicate that action has been taken by the security appliance to resolve a problem or that action needs to be taken by the administrator because of an interface failure, unit standby failure, or bad cables. An administrator should always follow up on an alert message. |
| 2 | critical | Critical condition requiring immediate attention. These messages indicate that traffic has been blocked or dropped, that spoofed traffic has been detected, or that flags are invalid in traffic. An administrator should usually follow up on critical messages. |
| 3 | error | Error condition or event. These error messages are specific to security appliance resources such as xlate failures and translation slot failures. An administrator should always follow up on error messages. |
| 4 | warning | Warning condition or event. These messages are generally warnings about connection problems. An administrator might have to follow up on these warning messages. |
| 5 | notification | Normal but significant conditions or events. These messages are a mix of notifications of what a security appliance logged-in user is doing on the machine and some messages about Java and ActiveX blocking. An administrator should look at these messages to ensure that unauthorized changes are not being made to the security appliance. |
| 6 | informational | Informational messages only. These messages describe connections being built and torn down through the security appliance. In most cases, these messages don't need to be audited by an administrator unless users report that they are having problems with specific connections or services. |
| 7 | debugging | Debugging messages only. These messages are mostly related to IPSec. An administrator uses these messages when bringing up an IPSec tunnel for the first time. For the other debug messages, refer to your device's technical documentation on the Cisco website. |
Plugin Enablement
For plugin enablement information, see Enable Plugins.Troubleshooting
For troubleshooting, refer to the vendor documentation: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/command/reference/cr75.pdf http://www.ciscopress.com/articles/article.asp?p=424447&seqNum=2Edit | Attach | Print version | History: r6 < r5 < r4 < r3 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r6 - 28 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.