12-29-2020 06:14 AM
Hello,
I have an ASA integrated with a syslog server..suddenly the syslog team is reporting that logs arent being received by the server. How can i check if ASA is forwarding the syslogs to the server ?
12-29-2020 06:46 AM
First check the configuration - is there any changes done ?
check syslog IP address and configuraiton
show run | in logg
show logg
next check any ACL newly added in related to syslog IP which has deny
ASDM provides a tool called 'real time log viewer'. put the syslog IP address to filter, it will show you the transactions.
12-30-2020 12:29 AM
I already checked through the real time log viewer but there wasnt anything there .i then ran a packet capture with the source interface ip which should be sending syslogs and now i am able to see the traffic going through.
12-30-2020 12:39 AM
other tests can be done, ping Syslog IP from Firewall see is reachable. if the packet tracer show traffic leaving the interface it may be beyond ASA in the network path somewhere dropping.
can they confirm other logs they able to receive? (other devices except for ASA ?)
12-30-2020 12:44 AM
The packets are actually leaving the ASA but they are somehow dropping in the FTD above..
the topology here is ASA -> FTD -> Syslog Server.
i put a capture in FTD to see if it is receiving any syslog packets from ASA.. i can see it receiving packets but getting dropped by the default deny rule..
the confusing part here is i have an identical setup in another DC2 .. and there is no separate ACL defined for syslog traffic in FTD ..even then everything is working perfectly fine there and i can see it in packet captures.. there it just goes through without aCL inspection.. not sure why suddenly traffic is getting dropped by the DC1 FTD.. and this was also working fine before.
12-30-2020 02:19 AM
Sure that is best to move forward since FTD in the middle, something might have changed - worth doing capture in FTD and check ASA can able to sending the logs from Source ASA and Destination Syslog Server IP.
Does FTD Logs able to receive by Syslog team ?
when you mentioned other DC ? Hope these FTD not HA between DC ? or these DC FW Seperate instance right ?
12-30-2020 03:32 AM
Yes.. the other FTDs are entirely separate instance in another DC..communication is working without any access list there.
One more thing is that i am not getting any denied traffic logs for syslogs... i can see it is getting blocked only in packet capture or packet tracer.
12-30-2020 03:45 AM
Can the syslog team can see FTD Logs ? when was the ASA logs stop sending to syslog ( so you need to investigate from that time - what was the changes happened ? any routing change ?
12-29-2020 05:24 PM
check NTP sync
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide