-----Original Message----- Subject: RE: [logs] PIX configuration change logging > We found this : > > %PIX-5-111008: User 'user' executed the 'cmd' command. > > Explanation This message indicates that a command change to the > configuration has been made from an AAA authenticated session. > > here : > http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_messag e_guide_chapter09186a00800891c4.html > > > Still looking into how we implement this. Add the following lines to your PIX config: logging enable logging trap debugging logging host inside [syslog server IP] udp/514 Then, when those messages are generated, they will appear in your syslog stream. But know that this will be a lot of syslog traffic on a busy firewall, so don't implement this without proper planning and testing. Even so, that message doesn't mean what you may think it does. The 'cmd' that you are going to see pretty much all of the time is 'enable'. Sure it will tell you who modified the configuration and when (assuming you have AAA set up for telnet/enable), but it won't audit the configuration for you. You'll need a third party tool to do that. PaulM _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Oct 02 2006 - 19:32:00 PDT