cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

368
Views
0
Helpful
8
Replies
Highlighted
Beginner

Is it possible to filter out connection traffic from ASA logs before going to the syslog server

Hello, we have our new log server up and we're using A10 Thunder to load balance.

We have logs from our proxy being sent to the syslog server with no problems.

However, we have traffic from our ASA 5585X being sent to the syslog server and some of the data is not wanted.

Specifically teardown and buildup traffic for each connection.

I have been googling around to see if this type of traffic can be stripped out before being sent to the syslog server, either on the FW itself or via an ACL at the first convenient switch between the FW and the syslog server.

Is it possible to do this?

I know we can simply create an ACL to block all UDP to 514 but we wish to collect some log traffic from the FW just not overwhelm our syslog server duplicate data.

 

ej 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

I do not believe the first command fits your situation. I have used the second command with success. I do not believe that you need to include the standby parameter.

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders

View solution in original post

8 REPLIES 8
VIP Advisor

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

I always get the as much as information from ASA to syslogs for better visibility and SYSLOG Server have capbilities to trim the Logs (Depends what syslog server you using)

 

Since ASA do not have much capabilities to save historical data in to the Device.

 

I have  used syslog-ng and greylogger with elastic stack...we can trim the logs and remaining data you can be removed or keep for any analysis based on the organisation requirement and size of hdd space.

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

We are supposed to be getting Elastic but not sure when. The issue is we appear to be duplicate logging the traffic from the proxy and the firewall. The logging of the connection build-up and tear-downs are what's overloading the logs. Eliminating those log entries would help tremendously.

 

ej

Hall of Fame Master

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

One option to consider is the ability of the ASA to suppress specific log messages. So you could get the message identifier of the buildup and teardown messages that you do not want to send to the server and then configure the ASA to suppress those messages. This means that the messages will not get to the syslog server but also means that you would not see those messages on the ASA. Is that acceptable?

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
Beginner

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

I have been going down this road trying to figure out how to suppress these log messages. I found 2 commands.

1. logging flow-export-syslogs syslogs disable command:

 If the security appliance is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command.

 

2. no logging message message-number:  where "message-number" would be 302013 or 305012. 

 

Still looking to see which method is the best. I haven't found what I believe to be the way to do this in the ASDM UI.

It may not be there.

I did find the URL for the syslog ID messages definitions.

302013,302,014,302015 and 302016 are related to communications tear down and build up for TCP and UDP connections.

We have our FW's in HA so I'm not sure if I need to enter the "standby" command at the end of each configuration.

config t

no logging message 302013  or no logging message 302013 standby

no logging message 302014 or no logging message 302014 standby

etc...

 ej

Hall of Fame Master

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

I do not believe the first command fits your situation. I have used the second command with success. I do not believe that you need to include the standby parameter.

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders

View solution in original post

Beginner

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

I used the second command and eliminated the standby option after a quick context search.

The command does work and we have lowered the number of logs going to the remote log server.

So our test works, now we need to establish which logs are the ones we wish to eliminate.

We only want to eliminate the logs coming from a specific IP address, those from the proxy server(s).

There isn't an option with the command to identify a destination or source IP so that makes it more problematic.

Thanks for the information.

 

ej

Hall of Fame Master

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

I am glad that my suggestions have been helpful and that you have been able to suppress the specific log messages. You have clarified that you do not really want to suppress all of those log messages but only the messages for connection to specific addresses. Unfortunately I do not know of a way to achieve that.

 

HTH

 

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
Beginner

Re: Is it possible to filter out connection traffic from ASA logs before going to the syslog server

I have been trying to google around on the subject but haven't found anything to address it. I'll probably have to open a TAC case.

 

ej

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards