Networking

Decipher the Cisco PIX log files

If you don't know what your Cisco PIX is doing right now, much less what it did 10 minutes ago, you need take charge of your network. In this Daily Drill Down, Scott Lowe shows you how to find and interpret your Cisco PIX log files.


No matter how hard you juggle your schedule, you can’t be at two places at once. Nor can you monitor every device on your network every second of every day. Eventually, something like hunger, the call of nature, or your supervisor will force you to stop watching over your network.

Fortunately, you can keep an eye on your network while you’re away by taking advantage of log files. Your Cisco PIX router can create logs to track many different aspects of your network. In this Daily Feature, I’ll go over the format of the Cisco PIX log files and show you how to read them. I’ll also show you some easy ways to get help based on the information detected by your PIX log files.

A tale of two utilities
There are two different ways you can create logs for your Cisco PIX. You can either use syslog or the PIX Device Manager. Seasoned UNIX administrators will be more used to the syslog utility. Syslog is a UNIX service that can allow you to centralize logs from all around your enterprise onto one central machine.

Using syslog can be convenient, but in order to reap its full benefits you need to know how to interpret the messages that come directly from the PIX. Syslog captures PIX messages and writes them to the /var/log/messages file.

A typical syslog message will look like:
Jun 22 19:08:31 192.168.1.20 June 22 2002 19:08:11: %PIX-5-111008: User 'enable_15' executed the 'ping inside 2.2.2.2' command.

Obviously, this is a syslog message indicating that a ping command was run. This syslog message can be broken down into several areas:
  • Date written: The date and time that the message was written to the log. For our example this is Jun 22 19:08:31.
  • IP Address: The TCP/IP address of the device that wrote the message to the log. In our example, this is 192.168.1.20.
  • Date occurred: This is the date and time that the error actually occurred. Don’t worry if this time is slightly different than the Date written column. For our example, this value is June 22 2002 19:08:11.
  • Message ID: In our example, this value is %PIX-5-111008. This is the message ID number generated from the PIX. The number 5 in this message indicates the severity of the message with 1 being the most severe error and 7 being simply debugging informational messages.
  • Text: The final part is the actual text of the message. It provides some description of the event that caused the message to be generated in the first place. It can help you troubleshoot the cause of any problem.

Syslog messages aren’t simply error messages. They can be anything from informational messages to “Oh man, the PIX is going to die” severe error messages. The severity number portion of the Message ID is key in these messages. They tell you how bad the problem could be.

Cisco provides a comprehensive list of all of the messages generated by syslog on its Web site along with possible solutions to the problem. For example, here is what Cisco has to say about the message that I detailed above.
%PIX-5-111008: User  user_name executed the command  command
Explanation   This syslog message is for accounting purposes. The user entered a command that modified the configuration.
Action None required.


If the suggested solutions from Cisco do not fix a problem that you are experiencing, I have found Google to be an excellent way to get more information. At the Google search box, simply typing in the error ID for many of these messages will yield results from others that have experienced similar problems.

PDM
As an alternative to syslog, you can use the PIX Device Manager (PDM). With newer versions of the PIX code, the PDM can be used to view system logs as well as a whole host of other reports and statistics. The PIX Device Manager can also be used in an environment where syslog is not feasible or desired.

Start the PDM on your administration workstation. To view the log in the PDM, choose the monitoring tab and then choose the level of information you would like to view. You’ll then see the screen shown in Figure A.

Figure A
This screen lets you choose what level of logs to view.


Select Informational from the Logging Level drop-down list box and click View. When you do, you’ll see the PDM Log Viewer screen shown in Figure B.

Figure B
The PDM Log Viewer screen displays informational messages from the PDM.


As you can tell, the PDM uses the same information message IDs as the syslog messaging system, so you can use the methods I described previously to get further assistance with messages written to these logs.

Logging plus more
Using syslog and PDM together, you can get a complete view of what’s going on with your Cisco PIX. Add the built-in graphing and monitoring capabilities of the PDM, and you’ll find your PIX is ready to provide you with almost all the information you need. All you have to do is learn your way around the utilities and understand what they’re telling you.

 

Editor's Picks