https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871549#M1102525 <P>Yes, applying the command enables timestamps in the pcap, but they are still not recognisable by Rsyslog. The solution was to add "format emblem" at the end of each syslog host. Now the timestamps are recognisable by Rsyslog.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Emblem.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190106iA439A7D32CAB151C/image-size/large?v=v2&amp;px=999" role="button" title="Emblem.PNG" alt="Emblem.PNG" /></span></P> <P>&nbsp;</P> Tue, 11 Jul 2023 08:59:15 GMT Ronit Bhattacharjee 2023-07-11T08:59:15Z https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871534#M1102519 <P>We use Rsyslog and LogAnalyzer as our Syslog collector. All our routers/switches/firewalls send Syslogs to Rsyslog. We would like timestamps in the log payload and this works fine for routers and switches, but Rsyslog cannot recognise the timestamp of the logs sent by Cisco ASA.</P> <P>Here's the difference</P> <P>Router</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Router logs with timestamps.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190102i11BAD2949599D075/image-size/large?v=v2&amp;px=999" role="button" title="Router logs with timestamps.png" alt="Router logs with timestamps.png" /></span></P> <P>Firewall</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Firewall logs without timestamps.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190103i4BBA159CD7F423D7/image-size/large?v=v2&amp;px=999" role="button" title="Firewall logs without timestamps.png" alt="Firewall logs without timestamps.png" /></span></P> <P>Using packet captures, we can see that the firewall is indeed sending timestamps in the UDP message, but the format is different from the router and that may explain why Rsyslog is not able to parse it.</P> <P>Is this known behaviour? Any way to get the firewall to send the timestamps in the same format as the router?</P> Tue, 11 Jul 2023 08:43:03 GMT https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871534#M1102519 Ronit Bhattacharjee 2023-07-11T08:43:03Z https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871545#M1102523 <P>Did you apply the "logging timestamp" command on the ASA?</P> Tue, 11 Jul 2023 08:56:31 GMT https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871545#M1102523 Aref Alsouqi 2023-07-11T08:56:31Z https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871549#M1102525 <P>Yes, applying the command enables timestamps in the pcap, but they are still not recognisable by Rsyslog. The solution was to add "format emblem" at the end of each syslog host. Now the timestamps are recognisable by Rsyslog.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Emblem.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/190106iA439A7D32CAB151C/image-size/large?v=v2&amp;px=999" role="button" title="Emblem.PNG" alt="Emblem.PNG" /></span></P> <P>&nbsp;</P> Tue, 11 Jul 2023 08:59:15 GMT https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871549#M1102525 Ronit Bhattacharjee 2023-07-11T08:59:15Z https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871552#M1102527 <P>Thanks for update us and share solution.</P> Tue, 11 Jul 2023 09:01:01 GMT https://community.cisco.com/t5/network-security/rsyslog-cannot-parse-timestamps-from-asa-syslog/m-p/4871552#M1102527 MHM Cisco World 2023-07-11T09:01:01Z