10-12-2011 10:42 AM
Hello,
i am sending syslog messages from our ASA's to an LMS prime. Somehow the messages are not showing up in syslog_info. I tested shutting down LMS and using 3com daemon syslog server on a device with same ip address as the LMS host and the syslog messages were displayed.
All ASA's are managed by LMS.
any ideas?
regards
alex
10-18-2011 10:24 AM
Hi,
Are you referring to LMS 4.1 appliance? What do you see when you navigate to Admin > Collection Settings > Syslog?
Below is a Q&A related to syslog:
Q. Why am I not getting syslog messages for my devices?
A. You might not be getting syslog messages for one of the following reasons:
* The device is not managed by RME.
* The Syslog parameters are not enabled correctly on the device.
* Too many messages are being received by the syslog program. On Windows systems, logging for the PIX firewall has a tendency to lock the syslog function due to the massive number of messages from the firewall.
* Filters might be applied to incoming syslog messages. By default, Link Up/Down, PIX, Severity 7, and IOS Firewall Audit Trail messages are filtered out.
10-24-2011 01:05 AM
Hi,
yes i am referring to LMS 4.1 application.
The devices are managed and are configured correctly. I replaced a windows based LMS with the appliance based version. on the windows based version i received the syslogs.
so it must be something different between the windows based and the appliance.
The odd think is, the syslog messeages even not appear in the syslog_info file.
regards
alex
10-24-2011 01:41 AM
first check if the ASA is configured to send the syslog messages in EMBLEM format - this is necessary to make them show up in the syslog reports. The LMS syslog Analyzer can only process syslog messages in EMBLEM format.
What I am wondering about is that you say the messages doesn't make their way to the plain syslog file - this should be independent form the (EMBLEM) format - but I have no experience with the LMS appliance - but to exclude any format dependency I would first check this point.
this is a link for how to configure syslog EMBLEM format on ASA:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1065684
10-24-2011 10:51 AM
Hi Martin,
here is my logging configuration
show run | in logging
logging enable
logging timestamp
logging emblem
logging trap errors
logging history warnings
logging asdm debugging
logging mail critical
logging host INSIDE 10.0.128.19
10-24-2011 11:19 AM
Hi,
Do any syslogs make it to your LMS server or are the messages from the ASA the only ones missing?
Prerequisites for Logging
• The syslog server must run a server program called “syslogd.” Windows (except for Windows 95 and Windows 98) provides a syslog server as part of its operating system. For Windows 95 and Windows 98, you must obtain a syslogd server from another vendor.
• To view logs generated by the adaptive security appliance, you must specify a logging output destination. If you enable logging without specifying a logging output destination, the adaptive security appliance generates messages, but does not save them to a location from which you can view them. You must specify each different logging output destination separately. For example, to designate more than one syslog server as an output destination, enter a new command for each syslog server.
logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]
Thanks
10-24-2011 11:56 AM
10-24-2011 12:08 PM
When you navigate to Admin > Collection Settings > Syslog are there statistics regarding Forwarded|Invalid|Filtered|Dropped|Received messages?
Thanks
10-24-2011 12:32 PM
No messages are filtered or dropped.
are there any filter or rule active before syslog messages are written into the syslog_info file?
10-24-2011 08:18 PM
Alex,
Could you try to modify your ASA config line currently reading "logging host INSIDE 10.0.128.19" to instead read "logging host INSIDE 10.0.128.19 udp format emblem"?
Hope this helps.
10-26-2011 01:33 AM
Hi,
i tried but did change anything.
thanks
alex
10-26-2011 06:32 AM
Hi,
I suggest a packet capture at the LMS server to verify the messages ae being delivered.
Thanks
10-26-2011 06:37 AM
Hi i did this already. I see incoming syslogs for my Firewalls and the Wireless LAN controllers
03-08-2012 05:07 AM
Hello,
Alex, did you manage to work things out with syslog massages from ASA?
Best regards,
Leszek
03-08-2012 05:20 AM
Hi Leszek,
yes i finally found the problem. I had to set the logging facility to 23.
I added this line to my configuration and then it was working.
logging facility 23
regards
Alex
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: