Using the ASA/PIX Security Appliance Reporting
System
The ASA/PIX Security Appliance uses the syslog protocol for
reporting error messages and alerts. Syslog data can be sent to the device
running the ASDM software for troubleshooting purposes, but normally, the
security appliance is configured to write syslog data to a remote machine.
Syslog will contain messages that will help you to troubleshoot
your environment. For example, if customers can't get to a web server and you
know the web server is up and running, check the syslog; you will likely have an
error message that will help you to solve the problem. Cisco.com has all the ASA/PIX Security
Appliance syslog messages documented at http://www.cisco.com/go/pix
in the Technical Documentation section. If you need help analyzing a message,
the Cisco Technical Assistance Center is there to help every day of the year on
a 24/7 schedule.
Syslog might also contain messages if you are under attack.
Those message will be indicated by an intrusion detection system (IDS) prefix.
If you are dropping attack packets, this indicates that the security appliance
blocked a potential attack. If you are not dropping packets, you will want to go
to the machine that the attack was destined for and ensure that CSA caught the
attack before it was successful.
If you find that you have hundreds of IDS messages and you
don't have a security manager or engineer within your business, you might want
to call Cisco Technical Assistance Center to discuss what steps you should take
next.
One of the most important usages of syslog is that it will tell
you when someone logs on to the ASA/PIX Security Appliance, and it will show any
changes made. Therefore, you should view the syslog frequently to ensure that
only administrators have access to the security appliance and that there are not
commands being issued that might disrupt or cause security concerns for your
network.
Sections
Comments (0 posted)
Syndication
