Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
2
Replies

ASA Syslog stops every second hour

Go to solution
davidrkirk
Level 1
Level 1

‎10-17-2016 06:52 PM - edited ‎03-12-2019 01:24 AM

Hi,

I have a Cisco ASA5510 running v8.4(7)30.  I have it logging syslog messages to a Linux server.

I have noticed that every second hour it stops logging for one hour.  For example this morning there was a one hour gap between 04:32:09 and 05:32:11.  Then there is another gap from 06:32:04 to 07:32:28.  So I get one hour of logs, then one hour with no logs, then another hour of logs and so on.

I've looked back and noticed that this has been happening since this line was added to the config:

same-security-traffic permit intra-interface

It has just stopped again.  I logged on to ASDM and I can still see log messages coming through there, but nothing on my syslog server.

On the console I type in show logging and it show this:

Trap logging: level informational, facility 20, 9966824 messages logged
    Logging to inside syslog

I do it again and the number of messages is still incrementing.

I have lots of switches and another ASA5512 logging to the same syslog server and I don't see this happening with any other device.

Does anyone have any idea what's going on?  It seems that most times when I need to watch the log, the logs are not being written.

Thanks

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎10-17-2016 10:43 PM

Hi,

Please take captures on the interface going to the Syslog server during the time of the issue.

Also share the output of show logging queue of the ASA and show run logging.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎10-17-2016 10:43 PM

Hi,

Please take captures on the interface going to the Syslog server during the time of the issue.

Also share the output of show logging queue of the ASA and show run logging.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
davidrkirk
Level 1
Level 1
In response to Aditya Ganjoo

‎10-18-2016 01:14 PM

Hi Aditya,

I've done a tcpdump on the Linux server and can see the data is coming through, so the problem is not with the ASA.

I've done some more investigation on the Linux side.  The syslog server logs to "/var/log/hosts/$HOST/$HOST.log".  So, it relies on being able to do a reverse dns lookup.  The ASA has two names in dns - "firewall" and "vpn".  Once I deleted the second hostname in the reverse zone it seems to be logging all messages.

Thanks for your help

David

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card