Solved: ASA logging list config

mahesh18 · ‎07-15-2015

Hi Everyone,

On our ASA i see below config

logging list configuration level debugging class config

logging class config trap debugging

Need to what is purpose of this config and where it will send log messages to?

will this config send more logs to syslog server?

Regards

Mahesh

Marvin Rhoads · ‎07-15-2015

Mahesh,

We typically do NOT setup any debugging for syslog or trap server destinations. That can be very very verbose.

The commands you note do that for any config sessions (which does mitigate the effect but can be handled more effectively in other ways such as AAA authentication of all sessions and a configuration management tool) and the destination would be any syslog and trap (snmp) servers you have setup elsewhere in the configuration.

View solution in original post

Marvin Rhoads · ‎07-15-2015

Mahesh,

The "logging ... trap debugging" line tells the ASA to send the syslog messages at the most verbose level (level 7 = debugging) to your syslog server. That server is setup elsewhere with a "logging host ..." command.

Best practice is to send syslog messages at no more verbose than level 4 or 5 (warning or notification respectively) on a regular basis unless there is a troubleshooting session (or some sort of regulatory or legal compliance reason) that would require the more verbose set of messages.

Please see this TAC article for more details. There was also a good TAC Security podcast a while back on just ASA logging. Here's a link to the show notes where you can download the podcast. Also see the configuration guide section on logging for syntax details.

View solution in original post

Marvin Rhoads · ‎07-15-2015

Mahesh,

We typically do NOT setup any debugging for syslog or trap server destinations. That can be very very verbose.

The commands you note do that for any config sessions (which does mitigate the effect but can be handled more effectively in other ways such as AAA authentication of all sessions and a configuration management tool) and the destination would be any syslog and trap (snmp) servers you have setup elsewhere in the configuration.

mahesh18 · ‎07-15-2015

Hi Marvin,

Reason i am asking is that we are seeing lot of logs from this ASA to syslog.

Can you explain me in more detail please?

Regards

MAhesh

Marvin Rhoads · ‎07-15-2015

Mahesh,

The "logging ... trap debugging" line tells the ASA to send the syslog messages at the most verbose level (level 7 = debugging) to your syslog server. That server is setup elsewhere with a "logging host ..." command.

Best practice is to send syslog messages at no more verbose than level 4 or 5 (warning or notification respectively) on a regular basis unless there is a troubleshooting session (or some sort of regulatory or legal compliance reason) that would require the more verbose set of messages.

Please see this TAC article for more details. There was also a good TAC Security podcast a while back on just ASA logging. Here's a link to the show notes where you can download the podcast. Also see the configuration guide section on logging for syntax details.

mahesh18 · ‎07-15-2015

Hi Marvin,

Many thanks for detailed explanation.

I will go through all the links tomorrow.

Best Regards

Mahesh