CISCO ASA logging DNS queries

Ramakrishnan G. · ‎08-14-2015

Hello,

We are having some space constraints on the syslog server. After analysing the logs it is found that more logs are being generated by an ASA which sits infront of a DNS server. Hence, the more the DNS query arrives the more the syslog messages being sent. Currently on the ACL statement through which we are permiting the DNS query, enabled a logging level "infomational" and it sends all three connection messages whenever it gets a hit (1)"Built" (2)"Teardown" and (3) "access-list Permited"

Due to security standards we can not disable the ACL logging. But it is OK for us to get only the Permit ACL logs on the syslog instead of Built,Teardown,Permit. Is that possible to acheive this my lowering the logging level? if yes,what logging level should we use? I do not have a LAB to test with different logging levels,it would be great if someone can suggest away forward.

Regards,

Kris

Vibhor Amrodia · ‎08-16-2015

Hi,

No , this would not be possible as you would not be able to differentiate between syslog on the basis of there description but can only do it on the basis of the syslog ID.

So , if you want to block the syslog , the complete Syslog ID must be disabled.

Thanks and Regards,

Vibhor Amrodia

Ramakrishnan G. · ‎08-17-2015

Hi Vibhor,

Thanks for taking time to respond to me.

Which means instead of playing with logging levels, "no logging message 302016" should do the trick?

Regards,

Kris