cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2376
Views
10
Helpful
16
Replies
alex.dersch
Enthusiast

LMS Prime: Syslog messages from ASA are not precessed

Hello,

i am sending syslog messages from our ASA's to an LMS prime. Somehow the messages are not showing up in syslog_info. I tested shutting down LMS and using 3com daemon syslog server on a device with same ip address as the LMS host and the syslog messages were displayed.

All ASA's are managed by LMS.

any ideas?

regards

alex

16 REPLIES 16
ngoldwat
Enthusiast

Hi,

Are you referring to LMS 4.1 appliance?  What do you see when you navigate to Admin > Collection Settings > Syslog?

Below is a Q&A related to syslog:

Q. Why am I not getting syslog messages for my devices?

A. You might not be getting syslog messages for one of the following reasons:

*  The device is not managed by RME.

*  The Syslog parameters are not enabled correctly on the device.

*  Too many messages are being received by the syslog program. On Windows systems, logging for the PIX firewall has a tendency to lock the syslog function due to the massive number of messages from the firewall.

*  Filters might be applied to incoming syslog messages. By default, Link Up/Down, PIX, Severity 7, and IOS Firewall Audit Trail messages are filtered out.

Hi,

yes i am referring to LMS 4.1 application.

The devices are managed and are configured correctly. I replaced a windows based LMS with the appliance based version. on the windows based version i received the syslogs.

so it must be something different between the windows based and the appliance.

The odd think is, the syslog messeages even not appear in the syslog_info file.

regards

alex

first check if the ASA is configured to send the syslog messages in EMBLEM format - this is necessary to make them show up in the syslog reports. The LMS syslog Analyzer can only process syslog messages in EMBLEM format.

What I am wondering about is that you say the messages doesn't make their way to the plain syslog file - this should be independent form the (EMBLEM) format - but I have no experience with the LMS appliance - but to exclude any format dependency I would first check this point.

this is a link for how to configure syslog EMBLEM format on ASA:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1065684

Hi Martin,

here is my logging configuration

show run | in logging

logging enable

logging timestamp

logging emblem

logging trap errors

logging history warnings

logging asdm debugging

logging mail critical

logging host INSIDE 10.0.128.19

Hi,

Do any syslogs make it to your LMS server or are the messages from the ASA the only ones missing?

Prerequisites for Logging

•  The syslog server must run a server program called “syslogd.” Windows (except for Windows 95 and Windows 98) provides a syslog server as part of its operating system. For Windows 95 and Windows 98, you must obtain a  syslogd server from another vendor.

•  To view logs generated by the adaptive security appliance, you must specify a logging output destination. If you  enable logging without specifying a logging output destination, the adaptive security appliance generates  messages, but does not save them to a location from which you can view them. You must specify each different  logging output destination separately. For example, to designate more than one syslog server as an output  destination, enter a new command for each syslog server.

logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]

Thanks

Logging works fine for all routers, switches and call managers. Only Firewalls and Wireless Lan Controller Syslogs don't show up. I configured a Span Port to monitor the incoming syslog traffic to the LMS. syslogs from the Firewalls and WLC coming in the system.

When you navigate to Admin > Collection Settings > Syslog are there statistics regarding  Forwarded|Invalid|Filtered|Dropped|Received messages?

Thanks

No messages are filtered or dropped.

are there any filter or rule active before syslog messages are written into the syslog_info file?

Alex,

Could you try to modify your ASA config line currently reading "logging host INSIDE 10.0.128.19" to instead read "logging host INSIDE 10.0.128.19 udp format emblem"?

Hope this helps.

Hi,

i tried but did change anything.

thanks

alex

Hi,

I suggest a packet capture at the LMS server to verify the messages ae being delivered.

Thanks

Hi i did this already. I see incoming syslogs for my Firewalls and the Wireless LAN controllers

Hello,

Alex, did you manage to work things out with syslog massages from ASA?

Best regards,

Leszek

Hi Leszek,

yes i finally found the problem. I had to set the logging facility to 23.

I added this line to my configuration and then it was working.

logging facility 23

regards

Alex