ASA generating upwards of 40M log messages in 24 hours

cquigley-mitre · ‎06-28-2013

Hi folks,

I'll preface this with a note that I'm a bit new at configuring the ASA, so if this seems like a relatively simple question that I'm just overlookng, my apologies in advance.

I have an ASA5520 that I'm connecting to a Splunk server. The amount of traffic coming from it is extremely high - it did almost 48 million messages in a 24 hour period. Here is the output of a 'show log' with the IP addresses stripped:

----

Syslog logging: enabled

Facility: 21

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level errors, 799433175 messages logged

Trap logging: level debugging, facility 21, 2384948306 messages logged

Logging to inside x.x.x.x errors: 14945 dropped: 903982

Logging to inside x.x.x.x errors: 3 dropped: 684

Logging to inside x.x.x.x

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level notifications, 849478059 messages logged

----

The command that I ran to enable the remote syslog was 'logging host inside ip.of.syslog.server udp:1515"

I ran a 'logging console 3' and a 'logging buffered 3', hoping to filter out the debug messages, teardowns, etc but they are still showing up on my remote server. I'm sure it's just my inexperience, but if someone could direct me to the correct way to clean up the log output, I'd really appreciate it.

Thanks!

Jouni Forss · ‎06-28-2013

Hi,

You probably have this "logging" configuration set

logging trap debugging

This can be confirmed by using the below command to show all "logging" related configurations

show run logging

The "logging trap" sets the level of log messages that are sent to your Syslog server. So considering its set to "debugging" or "7" means that you are essentially logging everything possible with regards to the logging level.

The more typical level for this is either "informational" or "notifications"

I tend to keep it at "informational" though it generates a lot of logs still but its good in the sense that it logs all the connections/translations formed on the firewall and also logs when they are removed from the firewall.

If you were to configure "notifications" you would only tend to see the connections attempts that are blocked by the firewall and the log amount would be pretty minimal

Then again you also have the option to disable certain log messages altogether. You could for example disable the messages that tell you that a translation was formed/teardown which would already remove a considerable amount of logged messages.

Then I guess there might be change to create a custom list of messages you are interested in also.

You can also change the default level at which some logging level is logged.

I guess the last options I mention would take some research on your part to determine which would serve you the best.

The last options you mention in the post dont have anything to do with the Syslog servers logging. They are related to the console connection and the logs that is stored in the firewalls buffer which should be visible with the "show logging" command.

Hope this information helps

Please do mark the reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni

cquigley-mitre · ‎07-01-2013

Thank you for the reply Jouni, I appreciate it. I set the debug level (I believe) lower, down to "4", but I'm still seeing an incredibly high amount of messages - about 500,000 in 20 minutes. Here's the result of 'show run logging'.

logging enable

logging timestamp

logging console errors

logging buffered errors

logging trap warnings

logging asdm notifications

logging facility 21

logging host inside x.x.x.x 17/2550

The good news is that I'm not seeing all of the teardown messages, and it's certainly a lot less than 40 million, heh. That said - a lot of what I'm seeing is generic multicast denies, arp requests and so forth. I DO want to see any specific denies, but having all of the usual network chatter (active directory stuff, routing messages from external routers, etc) makes it difficult to discern what's "normal" traffic and what's an actual threat. Would you happen to know if there is a way that I can trim this down a bit, or exclude multicast?

Thanks again!

Jouni Forss · ‎07-01-2013

Hi,

You could set the logging level to Notifications

logging trap notifications

You could also check your ACL configurations.

If you have manually set some logging levels for the ACL rules at the end of an ACL rule then those might be the cause for the added amount of logs.

If you set the logging level to Notifications then I dont think you should be getting that much logs.

I also find it odd that you would be seeing anything related to ARP. Those are usually only seen when you have debugging turned on which I hope you dont since its primarily for troubleshooting situations.

You can use the below command to view if any debugs are on

show debug

If you want to disable all active debugs on the firewall then you can use

no debug all

But yeah, should really see rest of the configuration to be able to tell what is causing the large amount of logs. Then again, I guess if you have a lot of traffic that is denied by some ASA configuration, then those might still generate a lot logs.

- Jouni