10-21-2020 01:57 PM
@Rob Ingram @balaji.bandi @Marius Gunnerud
Hi Guys,
Does ASA saves any logs by default? logs means if some sort suspicious activity happen within network and we want to see what Firewall saw at that time.
Is there anyway I can find out logs from last week?
Also, is there any way that Firewall can automatic export logs to third party server.
Thanks,
Solved! Go to Solution.
10-26-2020 11:09 AM
I think ASDM buffer size works per messages basis, I think you can set it up to max 512 messages, depending on the traffic in your environment, those might last a few seconds as much as a few days, less likely. You should use an external SIEM to have a proper logs review and events correlation.
10-26-2020 01:49 PM
The max size of the buffer is 1048576 bytes. How far back in time you will be able to view logs depends on how much traffic is being logged and what logging level you have enabled. I would think you will see logs back in time a few hours, maybe 24 hours if you do not have too much traffic passing through. Not much more than that.
For log analysis you would really need a SIEM, as Aref mentioned, or some other syslog server.
10-21-2020 03:04 PM - edited 10-21-2020 03:05 PM
Logging is not enabled by default on the ASAs. Depending on how much buffer size you allocate to the logging, you would get more retention. The ASAs can send Syslog message to external servers if configured. Here is a snippet of an example configuration:
logging enable
logging timestamp
logging buffer-size 8192
logging buffered notifications
logging trap informational
logging host <interface facing the Syslog server> <Syslog server IP>
10-21-2020 06:15 PM
Since this is firewall buffer is not good enough to hold all the history logs you looking for, suggest send the logs to Syslog server so you can view them on a historical basis.
10-22-2020 12:41 AM
Does ASA saves any logs by default?
As Aref has mentioned, logging is not enabled by default.
logs means if some sort suspicious activity happen within network and we want to see what Firewall saw at that time.
The ASA logs for the most part only connection related events (build, teardown, source and destination IP and ports). Threat detection is enabled by default which will monitor drop rates for a number of events.
Is there anyway I can find out logs from last week?
Unless you are already logging to an external syslog server, or you are logging very specific events that do not generate a lot of logs, you will not be able to view logs from last week. The local logging buffer on the ASA isn't very big and can only hold a limited amount before being overwritten by newer logs.
Also, is there any way that Firewall can automatic export logs to third party server.
Aref has also answered this in his post.
10-22-2020 06:00 AM
I needed logs from 14 days ago and Google search pointed me here. I was used from Sophos UTM, that I could search for logs one month back, because they were stored on the hard drive and on ASA nothing. Why do you need a server for logs, if the device has HDD/SSD? Costs more, does less.
10-22-2020 06:34 AM
Agreed ASA is different case, i work with different vendors, CP/ Palo / Forti - they do have stored Logs for Longer.
In terms of ASA, they stored on buffere and they will be purged as overwrite with new message.
if you like you have CSM in place ( i would suggest to syslog server out of the box is easy solution)
FTD / FMC have more capable like other product moving forward.
10-22-2020 06:37 AM
This all really depends on what you are logging. If you are logging debugging the buffer space will be used up very fast, if you are logging warning, or error or perhaps even warning, this will use much less disk space since these do not happen often and will be able to look at older logs stored on the ASA.
If the ASA crashes or reboots you will lose any logs you had stored locally so a syslog server is recommended and is a best practice to implement no matter what networking device vendor you use.
10-22-2020 11:58 AM
Hello @Marius Gunnerud @Aref Alsouqi @balaji.bandi
ciscoasa# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 150319 messages logged
what does ASDM logging have in it?
Thanks
10-22-2020 12:37 PM
ASDM logging logs the same AS what you would see in the CLI, just through a GUI. This also logs to a buffer
10-23-2020 12:22 AM - edited 10-23-2020 12:25 AM
ASDM logging allows the device to display the logs on the ASDM console. ASDM has its own buffer, you can change that buffer size with the command logging asdm-buffer-size. You can also change the severity level of ASDM logging, in the example you posted, it is set to display severity 6 which is informational, so any severity 6 Syslog messages all the way down to severity 0 will be shown on the ASDM console.
10-26-2020 08:34 AM
Hello @Aref Alsouqi @Marius Gunnerud
What's the max size we can have asdm-buffer can for how much time back it can hold logs? Like should I be able to see logs two days back after doing this?
Thanks
10-26-2020 11:09 AM
I think ASDM buffer size works per messages basis, I think you can set it up to max 512 messages, depending on the traffic in your environment, those might last a few seconds as much as a few days, less likely. You should use an external SIEM to have a proper logs review and events correlation.
10-26-2020 01:49 PM
The max size of the buffer is 1048576 bytes. How far back in time you will be able to view logs depends on how much traffic is being logged and what logging level you have enabled. I would think you will see logs back in time a few hours, maybe 24 hours if you do not have too much traffic passing through. Not much more than that.
For log analysis you would really need a SIEM, as Aref mentioned, or some other syslog server.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: