https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572655#M739056 <HTML><HEAD></HEAD><BODY><P>Corey,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; To follow up on what Kureli mentioned, the biggest issue will be the console logging. When you enable console logging you force the syslog process to rate-limit the generation of syslogs such that they would not overwhelm the slow Serial link (console). Depending on the rate of syslogs generated by your ASA, the scant 9200 baud rate of the console gets overrun quickly and as a result logs have to be queued up and subsequently dropped.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; The only time you should be using console logging is if you have a host connected to the console and require seeing syslogs on that serial link. Even then, you must make sure the syslog rate is very low otherwise logs will be dropped by design.</P><P></P><P>- Magnus</P></BODY></HTML> Fri, 12 Nov 2010 03:10:14 GMT Magnus Mortensen 2010-11-12T03:10:14Z https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572653#M739043 <P>I'm having an issue where our syslog server does not appear to be getting all of the data that we expect it to get from a couple of our ASA's.&nbsp; The ASA's that are syslogging properly show "Current 0 msg on queue, 512 msgs most on queue" while the problematic ones usually have 300-400 "msg on queue".&nbsp; I have tried to raise the "logging queue length limit" to 1024 on the problem ASA's, but that didn't help.&nbsp; I also toned down the logging levels, as they were all at "debugging" but that did not help either.&nbsp; These are very high traffic internal firewalls, so they are a lot busier than the 0 msg firewalls, but I'm thinking 300-400 messages in queue sounds too high.</P><P></P><P>Here's the output of a show logging settings:</P><P>Syslog logging: enabled<BR />&nbsp;&nbsp;&nbsp; Facility: 20<BR />&nbsp;&nbsp;&nbsp; Timestamp logging: disabled<BR />&nbsp;&nbsp;&nbsp; Standby logging: enabled<BR />&nbsp;&nbsp;&nbsp; Debug-trace logging: disabled<BR />&nbsp;&nbsp;&nbsp; Console logging: level notifications, 86410176 messages logged<BR />&nbsp;&nbsp;&nbsp; Monitor logging: level notifications, 86410174 messages logged<BR />&nbsp;&nbsp;&nbsp; Buffer logging: level notifications, 86410176 messages logged<BR />&nbsp;&nbsp;&nbsp; Trap logging: level debugging, facility 20, 86485505 messages logged<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logging to prodinside-v364 syslogserver errors: 52467&nbsp; dropped: 2382326<BR />&nbsp;&nbsp;&nbsp; History logging: disabled<BR />&nbsp;&nbsp;&nbsp; Device ID: disabled<BR />&nbsp;&nbsp;&nbsp; Mail logging: disabled<BR />&nbsp;&nbsp;&nbsp; ASDM logging: level informational, 86472362 messages logged</P><P></P><P>Any ideas as to what I can do to lower the size of my message queues? </P><P><BR />Thanks!</P> Mon, 11 Mar 2019 19:08:12 GMT https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572653#M739043 corey 2019-03-11T19:08:12Z https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572654#M739048 <HTML><HEAD></HEAD><BODY><P>Pls. remove console logging.</P><P></P><P>Issue "sh run logg"</P><P></P><P>You can remove monitor and console logg</P><P></P><P>conf t</P><P>no logging monitor</P><P>no logging console</P><P></P><P>once done check it again.</P><P></P><P>-KS</P></BODY></HTML> Thu, 11 Nov 2010 23:45:49 GMT https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572654#M739048 Kureli Sankar 2010-11-11T23:45:49Z https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572655#M739056 <HTML><HEAD></HEAD><BODY><P>Corey,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; To follow up on what Kureli mentioned, the biggest issue will be the console logging. When you enable console logging you force the syslog process to rate-limit the generation of syslogs such that they would not overwhelm the slow Serial link (console). Depending on the rate of syslogs generated by your ASA, the scant 9200 baud rate of the console gets overrun quickly and as a result logs have to be queued up and subsequently dropped.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; The only time you should be using console logging is if you have a host connected to the console and require seeing syslogs on that serial link. Even then, you must make sure the syslog rate is very low otherwise logs will be dropped by design.</P><P></P><P>- Magnus</P></BODY></HTML> Fri, 12 Nov 2010 03:10:14 GMT https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572655#M739056 Magnus Mortensen 2010-11-12T03:10:14Z https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572656#M739066 <HTML><HEAD></HEAD><BODY><P>Thanks for the replies.&nbsp; I have removed the console and monitor logging, but the issue still persists.&nbsp; Here's the output of "sh run logg" after I removed console/monitor logging:</P><P></P><P>logging enable<BR />logging standby<BR />logging console notifications<BR />logging monitor notifications<BR />logging buffered notifications<BR />logging trap debugging<BR />logging asdm debugging<BR />logging queue 1024<BR />logging host prodinside-v364 syslogserver1<BR />logging host prodinside-v364 syslogserver2<BR />logging host prodinside-v364 syslogserver3</P><P></P><P>I issued a "no logging enable", waited for the queue to hit zero, then "logging enable" and the queue immediately started to grow and was up to around 300 again within about 20 seconds.&nbsp; So I removed a few other settings, now it looks like this:</P><P></P><P>logging enable<BR />logging buffered notifications<BR />logging trap debugging<BR />logging asdm debugging<BR />logging queue 1024<BR />logging host prodinside-v364 syslogserver1</P><P></P><P>and I still have over 300 messages queued (after disabling and enabling logging). Any other ideas?</P><P></P><P>This is part of a failover/dual-context pair if that matters.</P></BODY></HTML> Fri, 12 Nov 2010 14:56:03 GMT https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572656#M739066 corey 2010-11-12T14:56:03Z https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572657#M739072 <HTML><HEAD></HEAD><BODY><P>Just figured it out...</P><P></P><P>I removed the "logging standby" on the paired ASA and the queue on both immediately dropped to zero.&nbsp; What will I be missing out on by not doing logging to the standby context/asa?</P></BODY></HTML> Fri, 12 Nov 2010 14:59:43 GMT https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572657#M739072 corey 2010-11-12T14:59:43Z https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572658#M739086 <HTML><HEAD></HEAD><BODY><P>Logging standby causes the standby unit also to send syslogs to the syslog server.</P><P></P><P>This will almost double the amount of syslogs that the syslog server will see as both units will send logs.</P><P></P><P>We do this for troubleshooting purpose just to see what the sec/standby unit sent to the syslog server during the time of the problem.</P><P></P><P>This is not on by default.</P><P></P><P>-KS</P></BODY></HTML> Fri, 12 Nov 2010 15:51:47 GMT https://community.cisco.com/t5/network-security/asa-logging-queue/m-p/1572658#M739086 Kureli Sankar 2010-11-12T15:51:47Z