Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 133

Chapter 4 Configuring Firewall Devices
To enable logging, enter one of the following commands:
Step 2
(PIX and Cisco ASA) logging enable
•
(FWSM) logging on
•
To specify the MARS Appliance as a target logging host, enter the following command:
Step 3
logging host <interface name> <MARS IP address>
Step 4 To set the log level to debug, which ensures that HTTP and FTP session logs are generated, enter the
following command:
logging trap debugging
Tip Alternatively, you can tune the event settings as defined in
Syslogs, page
The debug messages contain the HTTP URL address information. Therefore, you can create
keyword-based rules matching against the firewall message itself. For example, if the debug messages
are enabled and users were logging to "http://mail.cisco.com", you could create keyword-based rules
that matched against "mail.yahoo.com."
Note
Debug messages are also preferred for troubleshooting. You can define inspection rules that match on
on debug-level keywords, which send notifications to the appropriate group. Refer to PIX debug
messages for interesting keywords.
Cisco recommends enabling debug for optimal use of your STM solution. If a Cisco firewall device is
unable to sustain debug-level messages due to performance reasons, the informational level should be
used. In non-debug mode, the URL information is not available; only the 5 tuple is available for queries
and reports.
For FWSM, enter the following command:
Step 5
logging rate-limit <eps rate desired> 1
For Cisco ASA, PIX 7.0, and FWSM, repeat
Step 6
security.
(Cisco ASA only) If an Advanced Inspection and Prevention (AIP) module is installed, you need to
Step 7
prepare that module as you would any IPS 5.0 module. For more information, see
page 6-10.
78-17020-01
4-6.
Full URLs, such as
www.cisco.com/foo.html
command data is logged only if web filtering (N2H2\SecureComputing or WebSense) is enabled
on the reporting device. If web filtering is not enabled, then the HTTP session log does not
include the hostname (although the destination host's IP and the Request-URI are included, such
as
192.168.1.1:/foo.htm
session logging, such as if the HTTP session request is broken across packets, then the hostname
data might not be included in the log data.
Device-Side Tuning for Cisco Firewall Device
, are included in HTTP session logs and FTP
) and FTP command data is not logged at all. Caveats exist with HTTP
Step 2 through Step 5
User Guide for Cisco Security MARS Local Controller
Cisco Firewall Devices (PIX, ASA, and FWSM)
for each context defined, admin and
Cisco IPS Modules,
4-5