Missing data in ASA syslogs

Rob.Moser1 — Tue, 12 Mar 2019 06:58:30 GMT

Hello All,

I'm hoping for some help in debugging a problem with the syslogs from our ASA device. We're missing data. A _lot_ of data. I'll say up front that I am not the administrator of the ASA device (I'm the consumer of the log data) but our local admin team has run out of ideas, so I thought I'd bring it to the community.

Our ASA device logs to three different machines (it's meant to be 2, but we're transitioning one to a new host and have it temporarily doing all 3 while I test the data integrity.) By pulling a 2-hour block of data from all 3 machines and comparing what is present in each log, I appear to be getting about 77% of the entries on two of the machines (logging via tcp), and 70% of the entries on the third (logging via udp.) Each machine gets a very different collection of data - statistically consistent with it being a random sample. Two of the machines are hardware devices; the other is a virtual machine. None of the three appears to be particularly overloaded CPU-wise or on the network (running about 5Mbps on a 100Mbps network). The virtual machine is running the latest stable rsyslog, as I wanted to eliminate that as a bottleneck. Our network guys tell me that the logging config on the ASA device looks like:

Syslog logging: enabled
    Facility: 23
    Timestamp logging: enabled
    Hide Username logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: level warnings, 324455744 messages logged
    Buffer logging: level notifications, 2408158686 messages logged
    Trap logging: level notifications, facility 23, 9112963408 messages logged
        Logging to inside <machine 1 redacted>
        Logging to inside <machine 2 redacted> tcp/1470 Connected
        Logging to inside <machine 3 redacted> tcp/1470 Connected
    Permit-hostdown logging: enabled
    History logging: disabled
    Device ID: context name "internet"
    Mail logging: disabled
    ASDM logging: level debugging, 4093093239 messages logged

Do you see anything obviously wrong with that logging config?
Is there a way that we can reset those statistics, so I can see a count of the messages the device thinks it is sending out for a given period?
Are there errors I could look for in the logs themselves that might indicate problems transmitting the data?
Any other ideas on where to look for what might be going wrong?

I appreciate any suggestions, and thanks for your time,

- rob.

Hi,

johnd2310 — Wed, 02 Dec 2015 03:17:36 GMT

Hi,

Could be that your firewall is logging faster than it can send to the hosts. what is the logging queue? You can get this via the following command:

show logging queue

Thanks

John

Thanks for the quick reply!

Rob.Moser1 — Wed, 02 Dec 2015 16:07:30 GMT

Thanks for the quick reply! Our network guys report the queue not looking backed up:

sh logg que

        Logging Queue length limit : 8192 msg(s)
        0 msg(s) discarded due to queue overflow
        0 msg(s) discarded due to memory allocation failure
        Current 1 msg on queue, 512 msgs most on queue

We checked that before and we have never seen discarded messages…

topic Thanks for the quick reply! in Network Security

Missing data in ASA syslogs

Hi,

Thanks for the quick reply!