07-18-2019 06:21 PM
Hello, we have our new log server up and we're using A10 Thunder to load balance.
We have logs from our proxy being sent to the syslog server with no problems.
However, we have traffic from our ASA 5585X being sent to the syslog server and some of the data is not wanted.
Specifically teardown and buildup traffic for each connection.
I have been googling around to see if this type of traffic can be stripped out before being sent to the syslog server, either on the FW itself or via an ACL at the first convenient switch between the FW and the syslog server.
Is it possible to do this?
I know we can simply create an ACL to block all UDP to 514 but we wish to collect some log traffic from the FW just not overwhelm our syslog server duplicate data.
ej
Solved! Go to Solution.
07-22-2019 04:38 AM
I do not believe the first command fits your situation. I have used the second command with success. I do not believe that you need to include the standby parameter.
HTH
Rick
07-18-2019 11:44 PM
I always get the as much as information from ASA to syslogs for better visibility and SYSLOG Server have capbilities to trim the Logs (Depends what syslog server you using)
Since ASA do not have much capabilities to save historical data in to the Device.
I have used syslog-ng and greylogger with elastic stack...we can trim the logs and remaining data you can be removed or keep for any analysis based on the organisation requirement and size of hdd space.
07-20-2019 04:30 PM
We are supposed to be getting Elastic but not sure when. The issue is we appear to be duplicate logging the traffic from the proxy and the firewall. The logging of the connection build-up and tear-downs are what's overloading the logs. Eliminating those log entries would help tremendously.
ej
07-21-2019 11:33 AM
One option to consider is the ability of the ASA to suppress specific log messages. So you could get the message identifier of the buildup and teardown messages that you do not want to send to the server and then configure the ASA to suppress those messages. This means that the messages will not get to the syslog server but also means that you would not see those messages on the ASA. Is that acceptable?
HTH
Rick
07-21-2019 04:06 PM
I have been going down this road trying to figure out how to suppress these log messages. I found 2 commands.
1. logging flow-export-syslogs syslogs disable command:
If the security appliance is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command.
2. no logging message message-number: where "message-number" would be 302013 or 305012.
Still looking to see which method is the best. I haven't found what I believe to be the way to do this in the ASDM UI.
It may not be there.
I did find the URL for the syslog ID messages definitions.
302013,302,014,302015 and 302016 are related to communications tear down and build up for TCP and UDP connections.
We have our FW's in HA so I'm not sure if I need to enter the "standby" command at the end of each configuration.
config t
no logging message 302013 or no logging message 302013 standby
no logging message 302014 or no logging message 302014 standby
etc...
ej
07-22-2019 04:38 AM
I do not believe the first command fits your situation. I have used the second command with success. I do not believe that you need to include the standby parameter.
HTH
Rick
07-22-2019 02:48 PM
I used the second command and eliminated the standby option after a quick context search.
The command does work and we have lowered the number of logs going to the remote log server.
So our test works, now we need to establish which logs are the ones we wish to eliminate.
We only want to eliminate the logs coming from a specific IP address, those from the proxy server(s).
There isn't an option with the command to identify a destination or source IP so that makes it more problematic.
Thanks for the information.
ej
07-23-2019 01:55 PM
I am glad that my suggestions have been helpful and that you have been able to suppress the specific log messages. You have clarified that you do not really want to suppress all of those log messages but only the messages for connection to specific addresses. Unfortunately I do not know of a way to achieve that.
HTH
Rick
07-23-2019 02:21 PM
I have been trying to google around on the subject but haven't found anything to address it. I'll probably have to open a TAC case.
ej
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide