Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1463
Views
5
Helpful
3
Replies

ASA 5520 and Syslog help

Go to solution
JG1978
Level 1
Level 1

‎09-07-2017 02:44 PM - edited ‎02-21-2020 06:16 AM

Hello,

 

I am looking for advice in regards to logging our edge firewall connections.

 

We are running an ASA 5520 and Kiwi Syslog 9.5 on a windows server.

 

I have been running kiwi syslog server 9.5 for a few months and it keeps crashing. I opened a ticket with them and they stated the firewall was sending too many logs (they said kiwi has a 2 million/hour message limit). I believe the amount of logs the firewall was sending is around 2.5-3 million/hour.

 

I am logging level 6-informational. It is my understanding this is the level I would need to see connections build/torn down for internet traffic.

I am really at a loss on what to do about this, is 2 million messages per hour really that high? I have already parsed down the logging as much as possible...

 

I am looking for any advice, suggestions or ideas...... How are other (bigger!!?) companies dealing with this.....thanks in advance!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-07-2017 11:03 PM

I never recommend logging level 6 on an ASA unless you are actively troubleshooting or require it for legal or compliance purposes. Are you going to scan through 50 million messages per day to extract something useful?

If you really need all those messages then they should go to a SIEM or something like Splunk or ELK that is designed to handle that volume of raw data and allow you to do some munging and visualization. You could dump it all into a Unix server like Philip suggests but then you'd have to manage and search through the files manually.

View solution in original post

3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎09-07-2017 03:15 PM

What not use Ubuntu and the syslog server included with it? Free. Never ran into issues with performance.
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-07-2017 11:03 PM

I never recommend logging level 6 on an ASA unless you are actively troubleshooting or require it for legal or compliance purposes. Are you going to scan through 50 million messages per day to extract something useful?

If you really need all those messages then they should go to a SIEM or something like Splunk or ELK that is designed to handle that volume of raw data and allow you to do some munging and visualization. You could dump it all into a Unix server like Philip suggests but then you'd have to manage and search through the files manually.

Go to solution
JG1978
Level 1
Level 1
In response to Marvin Rhoads

‎09-08-2017 07:30 AM

HI Marvin,

 

This is a legal compliance issue, we must keep records of internet connections for 1 year. I have considered trying to find just the syslog message ID's that pertain to connections and ignorning everything else.


The other option I am exploring is a SIEM that can handle higher traffic.

 

Either way I appreciate the input!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card