10-01-2019 08:45 AM - edited 02-21-2020 09:32 AM
I know it can generate a ton of logs but is it best to enable or disable this syslog?
10-01-2019 09:04 AM
logging message 106023 - enable
no logging message 106023 - disable
10-01-2019 10:48 AM
10-01-2019 12:37 PM
Hi,
Yes it's a good idea to log denied traffic, assuming you are going to look at the logs. You should send the logs to an external syslog server, as if logs are stored locally they are lost upon a reboot and less ASA resources consumed.
HTH
10-02-2019 07:34 AM
10-02-2019 08:00 AM
Logging locally would consume memory, it's recommended to send to a syslog server so it doesn't slow down the FW. Ultimately it would depend on your hardware and how many events are being logged.
Reference here, under High Memory Utilisation section.
HTH
10-02-2019 08:43 AM
10-02-2019 08:50 AM
The original poster asks whether generating the log messages about traffic denied by ACL would impact CPU usage. And the answer clearly is that generating those log messages does require some CPU. And that transmitting those log records to an external server would consume some CPU and some bandwidth. Whether the impact of that CPU use is significant is hard to say.
The original question was whether it is better to enable the logging of the denied traffic or better to disable the logging and reduce resource use on the ASA. @Rob Ingram made a very significant point: it depends on how you would use them. If your organization is quite security conscious and if someone will be monitoring these logs, and checking them for significant events, and if someone would take action to address those significant events then certainly it is better to enable the logging. I have worked with customers who rarely check their logs. For them certainly it would be better to disable this logging.
So my response to the original poster is where the scale is your organization? Do you regularly check logs and take action based on what you observe? Or do you let things run and check the logs only when someone reports a potential problem? Or do you fall somewhere in the middle?
HTH
Rick
10-01-2019 02:38 PM
Enable logging to give you the ability to diagnosis the problem which was blocking, so you can analyze the information to resolve any other issues around.
But ASA logs stored and buffer and they will be removed eventually once the buffer is full.
Suggest to send external Syslog server always if you looking to archive and read for further use.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: