topic Re: Understanding Cisco ASA syslog message format. in Network Security

Understanding Cisco ASA syslog message format.

oscar.quinonez — Tue, 11 Jan 2022 19:13:50 GMT

We have a requirement to collect messages from cisco ASA where the Severity is Warnings (Severity 4, 3, 2,1, 0).

The client ASA is configured as such:

 

ca-edge-fw# show run all logging
logging enable
logging timestamp
logging hide username
logging buffer-size 4096
logging asdm-buffer-size 100
logging buffered warnings
logging trap warnings
logging console warning
logging asdm warningslogging device-id hostname
logging host inside 109.1.1.1 17/514
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024

It looks like I'm getting on the syslog remote server some the following message types:

<166>Jan 9 23:16:13 ca-edge-fw %ASA-6-106100:...
<166>Jan 9 23:16:12 ca-edge-fw %ASA-6-607001:....
<167>Jan 9 23:16:08 ca-edge-fw %ASA-7-713035:...

When we parse <166> and <167> strings, our decode maps to:

166: Severity 6 (Informational), Facility 20
167: Severity 7 (Debug), Facility 20

ref: Syslog protocol RFC 5424

Now we are also looking at Cisco's: Cisco ASA Series Syslog Messages by Severity

Based on the above it looks like the Syslog Collector Server is receiving unwanted debug and Informational messages from the Cisco log originator.

The question is the running configuration snippet shown above supposed to meet our requirement?
If so, why is the Syslog Collector Server receiving unwanted noise?

Re: Understanding Cisco ASA syslog message format.

balaji.bandi — Tue, 11 Jan 2022 19:25:37 GMT

what ASA code running, Can you post :

# show logging

Re: Understanding Cisco ASA syslog message format.

oscar.quinonez — Wed, 12 Jan 2022 01:21:12 GMT

@balaji.bandi , I sent the request to the firewall team to provide the information. With this is in mind, is the mapping between vendor specification and RFC jiving together?
What is the rationale on getting the "show version" and "show logging setting" output? Are you looking for a misconfiguration or a Operating System deficiency?

Re: Understanding Cisco ASA syslog message format.

balaji.bandi — Wed, 12 Jan 2022 10:00:17 GMT

I can see there is facility 20 on the output, so want to verify some output of show logging.

ASA has ability to send only certain logs and facility logs to syslog, also wiht error codes.

Re: Understanding Cisco ASA syslog message format.

oscar.quinonez — Wed, 12 Jan 2022 17:05:41 GMT

@balaji.bandi , here are the outputs:

# show version
Cisco Adaptive Security Appliance Software Version 9.12(4)24
SSP Operating System Version 2.6(1.230)
Device Manager Version 7.9(2)152
Compiled on Wed 28-Apr-21 05:32 GMT by builders
System image file is ”disk0:/asa9-12-4-24-smp-k8.bin"
Config file at boot was ''startup-config1'



# show logging setting
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: enabled
Debug-trace logging: disabled
Console logging: class auth webvpn svc ssl, 16719497 messages logged
Monitor logging: level warnings, 1044798800 messages logged
Buffer logging: level warnings, 1870924773 messages logged
Trap logging: level warnings, class vpn, facility 20, 22921480346 messages logged
Logging to MGMT 109.1.1.1, UDP TX:946580772
Logging to MGMT 109.1.1.1, UDP TX:946532788 errors: 117 dropped: 47984
Logging to MGMT 109.1.1.1, UDP TX:946543979 errors: 105 dropped: 36793
Logging to MGMT 109.1.1.1, UDP TX:946580772
Global TCP syslog stats::
NOT-PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL-FLAP-CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL-REWRITE-CNT: 0
Permit-hostdown logging: enabled
History logging: level critical, 4527475 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level warnings, 1044798804 messages logged