cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

479
Views
0
Helpful
6
Replies
Snika
Participant

Difference between "log buffer" and "real-time log viewer" in ASA

 

20210201_092641.png

 

What's the difference between "log buffer" and "real-time log viewer" on the ASA?

I would like to access the ASA and view past logs.

However, there is no log before the time I accessed the ASA.

6 REPLIES 6
Tyson Joachims
Rising star

If you want to be able to see past logs, you will need to configure the internal buffer.

In the ASDM under Configuration > Device Management > Logging > Logging Setup, ensure that "Enable Logging" is checked. The buffer size will need to be defined (the larger the buffer, the more logs can be stored). I prefer 40960 bytes. Apply.

Under Configuration > Device Management > Logging > Logging Filters, select a severity for the "Internal Buffer". I usually like to go with "Warnings" but you may be looking for something more specific. Apply.

The internal buffer of the ASA is not infinite so if you have a need to store logs even longer than what is available on the ASA, you can offload logs to a syslog server. This can be configured under Configuration > Device Management > Logging > Syslog Servers. In a pinch, I sometimes launch TFTPd64 (http://tftpd32.jounin.net/tftpd32_download.html) and run the syslog server daemon.

Log is enabled.

How do I set it up in the filter to see past logs??

and What's the difference between "log buffer" and "real-time log viewer" ??

 

11.png

You need to setup a SYSLOG Server to offload logs, if you looking to store logs longterm

 

ASA Buffer is very low, and it can hold long information, since this FW you get many logs, it will be filled too quicker.



BB


*** Rate All Helpful Responses ***

That's not what I'm curious about.

When entering the Log Buffer, there are no past logs.

To give an exact example, if I check the Log Buffer at 8:00, I see logs from 8:00.

I would like to see the logs before 8:00.

as per my understanding you make a change at 8:00 you will not see before logs ? is this correct ?

 

once you change that log settings you can can view old logs.

 

(Appologies - if i misunderstood the requirment here )



BB


*** Rate All Helpful Responses ***

Tyson Joachims
Rising star

@SnikaThe Log Buffer in ASDM shows the last 100 logs which in your case, isn't super helpful. What you can do you is go to the CLI (either though the ASDM by going to Tools > Command Line Interface, or SSH/Telnet/Console to the ASA) and then run the command "show log". This will give you everything that is in the internal buffer. Since there is such little traffic on my network and my settings were for 40960 bytes at the severity of Warnings and above level, I am able to see about 3 hours worth of logs. Offloading to the syslog server would provide you much more storage where you likely could store months or more worth of data. The only downside is that you will only start logging once you make the configuration change.

Content for Community-Ad