04-12-2017 12:27 AM - edited 02-21-2020 06:03 AM
Hello!
I have an ASA 5508-X with FirePower services managed via ASDM.
Versions are:
ASA: 9.6(2)13
ASDM: 7.7(1)
FP: 6.2.0 (Build 362)
I have configured access control policy with logging to external syslog server as well as internal log.
I have configured FirePower module to poll NTP servers. The show time command displays correct time, ASDM displays correct time in every place where timestamp can be checked, linux box (Cisco Fire Linux OS) displays correct time.
Problem: the FirePower module is sending logs with incorrect timestamp to external syslog server.
Have I missed something important or it's possible yet another bug from Cisco ?
Thank you in advance!
04-12-2017 01:19 AM
Are you sure it isn't logging it in GMT+0?
04-12-2017 02:33 AM
Are you sure it isn't logging it in GMT+0?
Excuse me, how can I verify that?
By the way, for example, syslog shows "Apr 12 08:34:51", but the FP CLI is much different:
> show time
UTC - Wed Apr 12 09:11:11 UTC 2017
Localtime - Wed Apr 12 12:11:14 EEST 2017
Because of this, the problem is not in the timezone, in my opinion.
04-14-2017 01:02 AM
You can verify by going into expert mode on the module doing a quick tcpdump and looking at the content of a syslog message.
>expert
admin@Sourcefire3D:~$ sudo tcpdump -i eth0 -s 0 host <your syslog server>
They're sent unencrypted via udp/514 (edit) so it's pretty easy to look at even in the cli.
04-14-2017 01:02 AM
Hello Marvin! Thank you for your response.
I did sniff the traffic, but 514/udp, not 161/udp (SNMP). I did capture on the syslog server side too and the timestamp is incorrect.
04-14-2017 01:12 AM
Whoops - edited my reply for the correct port. Thanks.
I believe the log does lag a little bit but I'd expect maybe several seconds of delta - not over 30 minutes like you are seeing.
That sounds like a bug. I'd recommend opening a TAC case.
04-14-2017 01:17 AM
I'm totally agree with you. Too high delta, unfortunately. Anyway, appreciate your opinion. Have a nice day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide