Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1668
Views
10
Helpful
5
Replies

Configure notification on ASA when syslog servers is down?

CiscoPurpleBelt
Level 6
Level 6

‎07-09-2019 10:20 AM - edited ‎02-21-2020 09:17 AM

Is there a way to send a notification to an email or something like that when "logging host management" and/or syslog or audit server goes down?

Also, what it the actual logging server number for just when the server is unreachable or however it detects when it is down?

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎07-09-2019 10:30 AM

Hi,
Any particular reason you want the alert to come from the ASA?

Normally you'd monitor the SYSLOG server using SNMP with the NMS e.g. Solarwinds or Prime, these systems would then alert you if SYSLOG is down.

HTH

CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎07-09-2019 12:13 PM

Not really I guess.
So Solarwinds and prime can be configured to send emails or noitifications to a email distro or something correct?
0 Helpful

Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎07-09-2019 12:40 PM

Yes, you can send email alerts amongst other things.

FYI, Solarwinds can also act as a SYSLOG server

CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎07-09-2019 06:35 PM

Do you know which logging event numbers to configure on the ASA to still make sure it logs when a server is down locally?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-09-2019 08:19 PM

Unless you are using the non-default TCP syslog option, syslog is normally connectionless (udp/514) and the ASA has no way of knowing if the syslog messages are arriving at their destination.

If you use tcp I believe a syslog message will be created for the tcp connection itself (assuming you have informational level 6 logging level).

You should also see one of the following level 3 messages: 

 

  • %ASA-3-414003: TCP Syslog Server intf: IP_Address/port not responding. New connections are [permitted|denied] based on logging permit-hostdown policy.
  • %ASA-3-414005: TCP Syslog Server intf: IP_Address/port connected, New connections are permitted based on logging permit-hostdown policy
  • %ASA-3-414006: TCP Syslog Server configured and logging queue is full. New connections denied based on logging permit-hostdown policy.

References:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/l2.html#pgfId-1795316

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card