Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3039
Views
0
Helpful
8
Replies

Is it possible to filter out connection traffic from ASA logs before going to the syslog server

Go to solution
Eric R. Jones
Level 4
Level 4

‎07-18-2019 06:21 PM

Hello, we have our new log server up and we're using A10 Thunder to load balance.

We have logs from our proxy being sent to the syslog server with no problems.

However, we have traffic from our ASA 5585X being sent to the syslog server and some of the data is not wanted.

Specifically teardown and buildup traffic for each connection.

I have been googling around to see if this type of traffic can be stripped out before being sent to the syslog server, either on the FW itself or via an ACL at the first convenient switch between the FW and the syslog server.

Is it possible to do this?

I know we can simply create an ACL to block all UDP to 514 but we wish to collect some log traffic from the FW just not overwhelm our syslog server duplicate data.

 

ej 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Eric R. Jones

‎07-22-2019 04:38 AM

I do not believe the first command fits your situation. I have used the second command with success. I do not believe that you need to include the standby parameter.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-18-2019 11:44 PM

I always get the as much as information from ASA to syslogs for better visibility and SYSLOG Server have capbilities to trim the Logs (Depends what syslog server you using)

 

Since ASA do not have much capabilities to save historical data in to the Device.

 

I have  used syslog-ng and greylogger with elastic stack...we can trim the logs and remaining data you can be removed or keep for any analysis based on the organisation requirement and size of hdd space.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4
In response to balaji.bandi

‎07-20-2019 04:30 PM

We are supposed to be getting Elastic but not sure when. The issue is we appear to be duplicate logging the traffic from the proxy and the firewall. The logging of the connection build-up and tear-downs are what's overloading the logs. Eliminating those log entries would help tremendously.

 

ej

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Eric R. Jones

‎07-21-2019 11:33 AM

One option to consider is the ability of the ASA to suppress specific log messages. So you could get the message identifier of the buildup and teardown messages that you do not want to send to the server and then configure the ASA to suppress those messages. This means that the messages will not get to the syslog server but also means that you would not see those messages on the ASA. Is that acceptable?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4
In response to Richard Burts

‎07-21-2019 04:06 PM

I have been going down this road trying to figure out how to suppress these log messages. I found 2 commands.

1. logging flow-export-syslogs syslogs disable command:

 If the security appliance is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command.

 

2. no logging message message-number:  where "message-number" would be 302013 or 305012. 

 

Still looking to see which method is the best. I haven't found what I believe to be the way to do this in the ASDM UI.

It may not be there.

I did find the URL for the syslog ID messages definitions.

302013,302,014,302015 and 302016 are related to communications tear down and build up for TCP and UDP connections.

We have our FW's in HA so I'm not sure if I need to enter the "standby" command at the end of each configuration.

config t

no logging message 302013  or no logging message 302013 standby

no logging message 302014 or no logging message 302014 standby

etc...

 ej

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Eric R. Jones

‎07-22-2019 04:38 AM

I do not believe the first command fits your situation. I have used the second command with success. I do not believe that you need to include the standby parameter.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4
In response to Richard Burts

‎07-22-2019 02:48 PM

I used the second command and eliminated the standby option after a quick context search.

The command does work and we have lowered the number of logs going to the remote log server.

So our test works, now we need to establish which logs are the ones we wish to eliminate.

We only want to eliminate the logs coming from a specific IP address, those from the proxy server(s).

There isn't an option with the command to identify a destination or source IP so that makes it more problematic.

Thanks for the information.

 

ej

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Eric R. Jones

‎07-23-2019 01:55 PM

I am glad that my suggestions have been helpful and that you have been able to suppress the specific log messages. You have clarified that you do not really want to suppress all of those log messages but only the messages for connection to specific addresses. Unfortunately I do not know of a way to achieve that.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4
In response to Richard Burts

‎07-23-2019 02:21 PM

I have been trying to google around on the subject but haven't found anything to address it. I'll probably have to open a TAC case.

 

ej

0 Helpful
Customers Also Viewed These Support Documents