Deny tcp any any dropping syslog traffic

systems100 · ‎09-23-2022

Dear All,

I configured a cisco FTD to always send syslog events to a log analyzer.

However i found out that the deny tcp any any rule i configured to drop undefined traffic from that unsecure interface seem to be dropping the syslog traffic after a while despite having a access list permit udp rule configured above the deny tcp rule.

Please is there something am missing out?.

MHM Cisco World · ‎09-23-2022

Send Logging Information to a Syslog Server

logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]
logging trap severity_level
logging facility number

A server that runs a syslog application is required in order to send syslog messages to an external host. ASA sends syslog on UDP port 514 by default, but protocol and port can be chosen. If TCP is chosen as the logging protocol, this causes the ASA to send syslogs via a TCP connection to the syslog server. If the server is inaccessible, or the TCP connection to the server cannot be established, the ASA will, by default, block ALL new connections. This behavior can be disabled if you enable logging permit-hostdown. See the configuration guide for more information about the logging permit-hostdown command.

Note: The ASA only allows ports ranging from 1025-65535. Use of any other ports will result in the following error:
ciscoasa(config)# logging host tftp 192.168.1.1 udp/516
WARNING: interface Ethernet0/1 security level is 0.
ERROR: Port '516' is not within the range 1025-65535.

can be you not use TCP to send the syslog instead you use default UDP?