ASA Logging History List appears missing (version specific?)

cco@leferguson.com · ‎12-09-2024

I just started working on a new client who has two 5506x and a 5516x.

Setting up network monitoring I have generally used a "logging history list-name" statement to filter what SNMP traps are sent. I put this into these, and two rejected it, one accepted it.

The one that accepted was a 5506x on 9.14(4)12, the other two are both on 9.16(4)55.

They won't accept this command, and more to the point the prompt doesn't show it.

(config)# logging history log-to-zabbix
                          ^
ERROR: % Invalid input detected at '^' marker.
(config)# logging history ?
configure mode commands/options:
<0-7> Enter syslog level (0 - 7)
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
rate-limit Specify logging history rate-limit parameters
warnings Warning conditions (severity=4)

There is a "Word" in the prompt on the other system, as well as on an 9.18(4)29 at another client.

I searched release notes briefly and didn't see anything.

I looked at a 9.16 manual and it's still shown (as optional logging_list).

Am I missing something?

here is an example show logging where it worked:

# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Timezone: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 3760638 messages logged
Trap logging: disabled
Permit-hostdown logging: enabled
History logging: list log-to-zabbix, 3690714 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 3760638 messages logged

Here is one where it won't accept (I've also tried enabling it for a specific level then adding - no change).

# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Timezone: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 128486141 messages logged
Trap logging: disabled
Permit-hostdown logging: enabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled

Incidentally the list exists, it's in the config and accepted; it's just associating it with logging history (i.e. snmp) that won't work. SNMP configuration is identical on both ASA's (and working otherwise).

Linwood

ahollifield · ‎12-10-2024

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html

https://www.cisco.com/site/us/en/products/collateral/firewalls/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744798.html

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/adaptive-security-appliance-eol.html

cco@leferguson.com · ‎12-10-2024

OK, so they will be out of support soon. Got it. I'm a subcontractor setting up monitoring for a different consulting group for a small local government who is cheap. I have no idea if they are even under support (probably not, most windows servers are 2012R2) much less any influence to get them there, and no access to their support agreements.

Since I have no direct access to support through their contracts (if they exist) was hoping the community would help, unless there's some rule about not asking about issues on near-end-of-support devices?

ahollifield · ‎12-10-2024

Oh no totally fine asking here on the community for EoS/EoL gear. Just wanted to make sure you were aware of the very limited runway of these devices. If this behavior is bug it will not be fixed on software that is end of software maintenance.

cco@leferguson.com · ‎12-10-2024

Yeah. I was more worried if this was a feature, i.e. a change being introduced to some new filtering approach or syntax change and I had missed it because that will eventually affect others. Or alternatively some licensing or feature enabled issue I had never run across.

Thanks.

cco@leferguson.com · ‎12-10-2024

As a note further searching found these bugs:

Need to provide rate-limit on "logging history <mode>"

logging/syslog is impacted by SNMP traps and logging history

These and other logging changes were made in 9.16(4)48. I don't see anything specifically bugged about logging lists, but it looks like they did a lot of changes in this time frame and I wonder if they just broke it.

MHM Cisco World · ‎12-10-2024

did you try
logging history 6 <<- information
then check

show logging
show logging history

MHM

cco@leferguson.com · ‎12-11-2024

I am perhaps missing your point.

I do not want to get logging history turned on (that works). I want to apply a filter list to logging history. But in case you think turning it on first fixes it, it doesn't:

(config)# logging history 6
(config)# show logging
Syslog logging: enabled
....etc.
History logging: level informational, 117 messages logged, 0 rate-limited
.... etc ^
(config)# logging history log-to-zabbix


(config)# logging history 6
(config)# show logging
Syslog logging: enabled
....etc.
History logging: level informational, 117 messages logged, 0 rate-limited
... etc. 
(config)# logging history log-to-zabbix
                          ^
ERROR: % Invalid input detected at '^' marker.

"log-to-zabbix" has already been defined as a filter list (that definition syntax also works). The idea is that only the predefined list of event codes are sent in SNMP traps. Which is what a filter list is for, a more fine filter than just error level.