cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

615
Views
55
Helpful
12
Replies
Highlighted

Cisco ASA 5515-X logging

@Rob Ingram  @balaji.bandi  @Marius Gunnerud 

 

Hi Guys,

 

Does ASA saves any logs by default?  logs means if some sort suspicious activity happen within  network and we want to see what Firewall saw at that time.

Is there anyway I can find out logs from last week?

 

Also, is there any way that Firewall can automatic export logs to third party server.

 

Thanks,

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

I think ASDM buffer size works per messages basis, I think you can set it up to max 512 messages, depending on the traffic in your environment, those might last a few seconds as much as a few days, less likely. You should use an external SIEM to have a proper logs review and events correlation.

View solution in original post

Highlighted

The max size of the buffer is 1048576 bytes.  How far back in time you will be able to view logs depends on how much traffic is being logged and what logging level you have enabled.  I would think you will see logs back in time a few hours, maybe 24 hours if you do not have too much traffic passing through.  Not much more than that.

For log analysis you would really need a SIEM, as Aref mentioned, or some other syslog server. 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

12 REPLIES 12
Highlighted
Rising star

Logging is not enabled by default on the ASAs. Depending on how much buffer size you allocate to the logging, you would get more retention. The ASAs can send Syslog message to external servers if configured. Here is a snippet of an example configuration:

logging enable
logging timestamp
logging buffer-size 8192
logging buffered notifications
logging trap informational
logging host <interface facing the Syslog server> <Syslog server IP>

Highlighted
VIP Mentor

Since this is firewall buffer is not good enough to hold all the history logs you looking for, suggest send the logs to Syslog server so you can view them on a historical basis.

 

 

 

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Advisor

Does ASA saves any logs by default?

As Aref has mentioned, logging is not enabled by default.

logs means if some sort suspicious activity happen within  network and we want to see what Firewall saw at that time.

The ASA logs for the most part only connection related events (build, teardown, source and destination IP and ports).  Threat detection is enabled by default which will monitor drop rates for a number of events.

Is there anyway I can find out logs from last week?

Unless you are already logging to an external syslog server, or you are logging very specific events that do not generate a lot of logs, you will not be able to view logs from last week.  The local logging buffer on the ASA isn't very big and can only hold a limited amount before being overwritten by newer logs.

Also, is there any way that Firewall can automatic export logs to third party server.

Aref has also answered this in his post.

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

I needed logs from 14 days ago and Google search pointed me here. I was used from Sophos UTM, that I could search for logs one month back, because they were stored on the hard drive and on ASA nothing. Why do you need a server for logs, if the device has HDD/SSD? Costs more, does less. 

Highlighted
VIP Mentor

Agreed ASA  is different case, i work with different vendors, CP/ Palo / Forti - they do have stored Logs for Longer.

 

In terms of ASA, they stored on buffere and they will be purged as overwrite with new message.

 

if you like you have CSM in place ( i would suggest to syslog server out of the box is easy solution)

 

FTD / FMC have more capable like other product moving forward.

 

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Advisor

This all really depends on what you are logging.  If you are logging debugging the buffer space will be used up very fast, if you are logging warning, or error or perhaps even warning, this will use much less disk space since these do not happen often and will be able to look at older logs stored on the ASA.

If the ASA crashes or reboots you will lose any logs you had stored locally so a syslog server is recommended and is a best practice to implement no matter what networking device vendor you use.

--
Please remember to select a correct answer and rate helpful posts
Highlighted

Hello @Marius Gunnerud  @Aref Alsouqi  @balaji.bandi 

 

ciscoasa# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 150319 messages logged

 

 

what does ASDM logging have in it?

 

Thanks

Highlighted
VIP Advisor

ASDM logging logs the same AS what you would see in the CLI, just through a GUI. This also logs to a buffer

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Rising star

ASDM logging allows the device to display the logs on the ASDM console. ASDM has its own buffer, you can change that buffer size with the command logging asdm-buffer-size. You can also change the severity level of ASDM logging, in the example you posted, it is set to display severity 6 which is informational, so any severity 6 Syslog messages all the way down to severity 0 will be shown on the ASDM console.

Highlighted

Hello  @Aref Alsouqi @Marius Gunnerud 

 

What's the max size we can have asdm-buffer can for how much time back it can hold logs?  Like should I be able to see logs two days back after doing this?

 

Thanks

Highlighted

I think ASDM buffer size works per messages basis, I think you can set it up to max 512 messages, depending on the traffic in your environment, those might last a few seconds as much as a few days, less likely. You should use an external SIEM to have a proper logs review and events correlation.

View solution in original post

Highlighted

The max size of the buffer is 1048576 bytes.  How far back in time you will be able to view logs depends on how much traffic is being logged and what logging level you have enabled.  I would think you will see logs back in time a few hours, maybe 24 hours if you do not have too much traffic passing through.  Not much more than that.

For log analysis you would really need a SIEM, as Aref mentioned, or some other syslog server. 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Content for Community-Ad