01-31-2021 04:28 PM
What's the difference between "log buffer" and "real-time log viewer" on the ASA?
I would like to access the ASA and view past logs.
However, there is no log before the time I accessed the ASA.
01-31-2021 05:39 PM - edited 01-31-2021 05:40 PM
If you want to be able to see past logs, you will need to configure the internal buffer.
In the ASDM under Configuration > Device Management > Logging > Logging Setup, ensure that "Enable Logging" is checked. The buffer size will need to be defined (the larger the buffer, the more logs can be stored). I prefer 40960 bytes. Apply.
Under Configuration > Device Management > Logging > Logging Filters, select a severity for the "Internal Buffer". I usually like to go with "Warnings" but you may be looking for something more specific. Apply.
The internal buffer of the ASA is not infinite so if you have a need to store logs even longer than what is available on the ASA, you can offload logs to a syslog server. This can be configured under Configuration > Device Management > Logging > Syslog Servers. In a pinch, I sometimes launch TFTPd64 (http://tftpd32.jounin.net/tftpd32_download.html) and run the syslog server daemon.
02-01-2021 01:11 AM - edited 02-01-2021 01:11 AM
Log is enabled.
How do I set it up in the filter to see past logs??
and What's the difference between "log buffer" and "real-time log viewer" ??
02-01-2021 02:15 AM
You need to setup a SYSLOG Server to offload logs, if you looking to store logs longterm
ASA Buffer is very low, and it can hold long information, since this FW you get many logs, it will be filled too quicker.
02-01-2021 03:04 AM
That's not what I'm curious about.
When entering the Log Buffer, there are no past logs.
To give an exact example, if I check the Log Buffer at 8:00, I see logs from 8:00.
I would like to see the logs before 8:00.
02-01-2021 03:43 AM
as per my understanding you make a change at 8:00 you will not see before logs ? is this correct ?
once you change that log settings you can can view old logs.
(Appologies - if i misunderstood the requirment here )
02-01-2021 06:53 AM
@JustTakeTheFirstStepThe Log Buffer in ASDM shows the last 100 logs which in your case, isn't super helpful. What you can do you is go to the CLI (either though the ASDM by going to Tools > Command Line Interface, or SSH/Telnet/Console to the ASA) and then run the command "show log". This will give you everything that is in the internal buffer. Since there is such little traffic on my network and my settings were for 40960 bytes at the severity of Warnings and above level, I am able to see about 3 hours worth of logs. Offloading to the syslog server would provide you much more storage where you likely could store months or more worth of data. The only downside is that you will only start logging once you make the configuration change.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide