Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1455
Views
0
Helpful
6
Replies

ASA 5508-X, FirePower, incorrect syslog timestamp

sharlino
Level 1
Level 1

‎04-12-2017 12:27 AM - edited ‎02-21-2020 06:03 AM

Hello!

I have an ASA 5508-X with FirePower services managed via ASDM.
Versions are:
ASA: 9.6(2)13
ASDM: 7.7(1)
FP: 6.2.0 (Build 362)

I have configured access control policy with logging to external syslog server as well as internal log.
I have configured FirePower module to poll NTP servers. The show time command displays correct time, ASDM displays correct time in every place where timestamp can be checked, linux box (Cisco Fire Linux OS) displays correct time.


Problem: the FirePower module is sending logs with incorrect timestamp to external syslog server.
Have I missed something important or it's possible yet another bug from Cisco ?

Thank you in advance!

1 person had this problem
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-12-2017 01:19 AM

Are you sure it isn't logging it in GMT+0?

0 Helpful

sharlino
Level 1
Level 1
In response to Philip D'Ath

‎04-12-2017 02:33 AM

Are you sure it isn't logging it in GMT+0?

Excuse me, how can I verify that?

By the way, for example, syslog shows "Apr 12 08:34:51", but the FP CLI is much different:

 > show time
UTC -       Wed Apr 12 09:11:11 UTC 2017
Localtime - Wed Apr 12 12:11:14 EEST 2017

Because of this, the problem is not in the timezone, in my opinion. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sharlino

‎04-14-2017 01:02 AM

You can verify by going into expert mode on the module doing a quick tcpdump and looking at the content of a syslog message.

>expert
admin@Sourcefire3D:~$ sudo tcpdump -i eth0 -s 0 host <your syslog server>

They're sent unencrypted via udp/514 (edit) so it's pretty easy to look at even in the cli.

0 Helpful

sharlino
Level 1
Level 1
In response to Marvin Rhoads

‎04-14-2017 01:02 AM

Hello Marvin! Thank you for your response.

I did sniff the traffic, but 514/udp, not 161/udp (SNMP). I did capture on the syslog server side too and the timestamp is incorrect.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sharlino

‎04-14-2017 01:12 AM

Whoops - edited my reply for the correct port. Thanks.

I believe the log does lag a little bit but I'd expect maybe several seconds of delta - not over 30 minutes like you are seeing.

That sounds like a bug. I'd recommend opening a TAC case.

0 Helpful

sharlino
Level 1
Level 1
In response to Marvin Rhoads

‎04-14-2017 01:17 AM

I'm totally agree with you. Too high delta, unfortunately. Anyway, appreciate your opinion. Have a nice day.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card