i am sending syslog messages from our ASA's to an LMS prime. Somehow the messages are not showing up in syslog_info. I tested shutting down LMS and using 3com daemon syslog server on a device with same ip address as the LMS host and the syslog messages were displayed.
All ASA's are managed by LMS.
Are you referring to LMS 4.1 appliance? What do you see when you navigate to Admin > Collection Settings > Syslog?
Below is a Q&A related to syslog:
Q. Why am I not getting syslog messages for my devices?
A. You might not be getting syslog messages for one of the following reasons:
* The device is not managed by RME.
* The Syslog parameters are not enabled correctly on the device.
* Too many messages are being received by the syslog program. On Windows systems, logging for the PIX firewall has a tendency to lock the syslog function due to the massive number of messages from the firewall.
* Filters might be applied to incoming syslog messages. By default, Link Up/Down, PIX, Severity 7, and IOS Firewall Audit Trail messages are filtered out.
yes i am referring to LMS 4.1 application.
The devices are managed and are configured correctly. I replaced a windows based LMS with the appliance based version. on the windows based version i received the syslogs.
so it must be something different between the windows based and the appliance.
The odd think is, the syslog messeages even not appear in the syslog_info file.
first check if the ASA is configured to send the syslog messages in EMBLEM format - this is necessary to make them show up in the syslog reports. The LMS syslog Analyzer can only process syslog messages in EMBLEM format.
What I am wondering about is that you say the messages doesn't make their way to the plain syslog file - this should be independent form the (EMBLEM) format - but I have no experience with the LMS appliance - but to exclude any format dependency I would first check this point.
this is a link for how to configure syslog EMBLEM format on ASA:
here is my logging configuration
show run | in logging
logging trap errors
logging history warnings
logging asdm debugging
logging mail critical
logging host INSIDE 10.0.128.19
Do any syslogs make it to your LMS server or are the messages from the ASA the only ones missing?
Prerequisites for Logging
• The syslog server must run a server program called “syslogd.” Windows (except for Windows 95 and Windows 98) provides a syslog server as part of its operating system. For Windows 95 and Windows 98, you must obtain a syslogd server from another vendor.
• To view logs generated by the adaptive security appliance, you must specify a logging output destination. If you enable logging without specifying a logging output destination, the adaptive security appliance generates messages, but does not save them to a location from which you can view them. You must specify each different logging output destination separately. For example, to designate more than one syslog server as an output destination, enter a new command for each syslog server.
logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]
When you navigate to Admin > Collection Settings > Syslog are there statistics regarding Forwarded|Invalid|Filtered|Dropped|Received messages?
Could you try to modify your ASA config line currently reading "logging host INSIDE 10.0.128.19" to instead read "logging host INSIDE 10.0.128.19 udp format emblem"?
Hope this helps.
yes i finally found the problem. I had to set the logging facility to 23.
I added this line to my configuration and then it was working.
logging facility 23