Hi,

yes i am referring to LMS 4.1 application.

The devices are managed and are configured correctly. I replaced a windows based LMS with the appliance based version. on the windows based version i received the syslogs.

so it must be something different between the windows based and the appliance.

The odd think is, the syslog messeages even not appear in the syslog_info file.

regards

alex

first check if the ASA is configured to send the syslog messages in EMBLEM format - this is necessary to make them show up in the syslog reports. The LMS syslog Analyzer can only process syslog messages in EMBLEM format.

What I am wondering about is that you say the messages doesn't make their way to the plain syslog file - this should be independent form the (EMBLEM) format - but I have no experience with the LMS appliance - but to exclude any format dependency I would first check this point.

this is a link for how to configure syslog EMBLEM format on ASA:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1065684

Hi Martin,

here is my logging configuration

show run | in logging

logging enable

logging timestamp

logging emblem

logging trap errors

logging history warnings

logging asdm debugging

logging mail critical

logging host INSIDE 10.0.128.19

Hi,

Do any syslogs make it to your LMS server or are the messages from the ASA the only ones missing?

Prerequisites for Logging

•  The syslog server must run a server program called “syslogd.” Windows (except for Windows 95 and Windows 98) provides a syslog server as part of its operating system. For Windows 95 and Windows 98, you must obtain a  syslogd server from another vendor.

•  To view logs generated by the adaptive security appliance, you must specify a logging output destination. If you  enable logging without specifying a logging output destination, the adaptive security appliance generates  messages, but does not save them to a location from which you can view them. You must specify each different  logging output destination separately. For example, to designate more than one syslog server as an output  destination, enter a new command for each syslog server.

logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]

Thanks

Logging works fine for all routers, switches and call managers. Only Firewalls and Wireless Lan Controller Syslogs don't show up. I configured a Span Port to monitor the incoming syslog traffic to the LMS. syslogs from the Firewalls and WLC coming in the system.

When you navigate to Admin > Collection Settings > Syslog are there statistics regarding  Forwarded|Invalid|Filtered|Dropped|Received messages?

Thanks

No messages are filtered or dropped.

are there any filter or rule active before syslog messages are written into the syslog_info file?

Alex,

Could you try to modify your ASA config line currently reading "logging host INSIDE 10.0.128.19" to instead read "logging host INSIDE 10.0.128.19 udp format emblem"?

Hope this helps.

Hi,

i tried but did change anything.

thanks

alex

Hi,

I suggest a packet capture at the LMS server to verify the messages ae being delivered.

Thanks

Hi i did this already. I see incoming syslogs for my Firewalls and the Wireless LAN controllers

Hello,

Alex, did you manage to work things out with syslog massages from ASA?

Best regards,

Leszek

Hi Leszek,

yes i finally found the problem. I had to set the logging facility to 23.

I added this line to my configuration and then it was working.

logging facility 23

regards

Alex