The debug command on a Cisco pix firewall is a very powerful way of viewing information, alerts and errors in real time as they occur on your Cisco pix. The problem is that all the output goes straight to the console and before you know it you can be overwhelmed by the information being displayed!

For long term debugging and analysis this is simply not practical, and this is where a syslog server comes in. A syslog server will allow logging from the pix to be sent to a dedicated syslog server. The server will then need to run a syslog piece of software that will receive the messages and interpret them into human readable format. Setting all this up is actually pretty simple so let’s go over that now.

The software – Firstly you’re going to need a piece of syslog server software, there are many out there available and most will cost you, if however you want a free version then check out the 3Com syslog message daemon. You can download it from here. The setup is very simply, once you’ve installed it and if necessary allowed it access through the firewall you will be presented with a screen like this:

3Com Syslog server

This is all the configuring that needs doing for the syslog software, by clicking file and configure you can change the location of the log files that get generated. At this point the machine will be ready to accept incoming syslog messages, so now it’s time to configure the pix!

Firstly you need to check what version your pix is running on, you can do this by running a show version command in the console. If your pix is version 4.0 – 4.1 then you need to run the following commands:

syslog host x.x.x.x (where x.x.x.x is the ip address of the server running the syslog software)

syslog output x.y (x is the logging facility and y is the logging level)

Let’s go over the logging facility and logging level. You can have multiple logging facility’s should you want to send different logging levels to different syslog servers, you can use between local0 and local7 (eight different locations). To start with just Local0 is sufficient. When using the output command above, x translates to a decimal number that correspond to the local levels. Local0 is 16 and local7 is 23. so 16-23 are all valid numbers.

As for the logging level, you can decide what messages get outputted to the syslog server, here is a list of the different types:

Emergency – 0
Alert – 1
Critical – 2
Error – 3
Warning – 4
Notification – 5
Information – 6
Debug – 7

If you just want to log problems and alerts then level 3 is a good level to go for. Obviously if you choose level 3 then everything underneath (levels 0,1 and 2) will also get logged. If you log level 4 then you will start to get syslog messages indicating when firewall rules have been enforced and packets have been dropped. If you’re on a busy line then this will generate a lot of output so be warned!

So, as an example, if we wanted to use Local0 and level 4 we would run the command:

syslog output 16.4

At this point you’re done and all the syslog messages will start getting sent to the syslog server.

If you are running your Cisco pix firewall on version 4.2 or later then the commands change slightly to these:

logging host x.x.x.x (where x.x.x.x is the ip address of the syslog server)

logging facility x (where x is the decimal number for the logging facility as described above)

logging trap y (where y is the decimal number to determine what types of messages get outputted)

These three commands are all you need to enable your Cisco pix to start outputting what you have specified to the syslog server.