Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2248
Views
10
Helpful
5
Replies

FirePower- Clear Syslog at first Install

Devinder Sharma
Level 1
Level 1

‎01-12-2017 03:20 PM - edited ‎03-12-2019 06:15 AM

Hello All,

After initial lab staging, configuration and testing and of course updating / upgrading, we will have tons of log messages that we will like to clear at the time of production cutover.

What is the best way to achieve this? GUI does not have anyway ( I am using ASDM) and I can session sfr and then expert to get into linux shell to then cd into /var/log but then it has tons of directories.

I dont want to simply do a >var/logs.

Please advise.

Thanks

Labels:
0 Helpful
5 Replies 5

Devinder Sharma
Level 1
Level 1

‎01-12-2017 04:51 PM

Looks like relevant directory is /var/logs/messages. If that is the case, should I empty that directory via

>var/logs/messages

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Devinder Sharma

‎01-12-2017 05:11 PM

You can use the Data Purge feature in Firepower Manager to clear events, discovered hosts etc from the GUI. Location is: System >Tools >Data Purge. I am not sure if the ASDM has the same option when managing the Firepower.

Devinder Sharma
Level 1
Level 1
In response to Rahul Govindan

‎01-12-2017 05:35 PM

Thanks Rahul. ASDM does not have any such way to clear the syslog. Maybe a feature request is in order.

0 Helpful

Devinder Sharma
Level 1
Level 1
In response to Devinder Sharma

‎01-13-2017 01:19 PM

To clear the logs in ASDM, the proper process is as follows:

session sfr

expect

admin@hostname:$ sudo su -

Supply the admin password.

root@hostname:$ >messages

This will delete thousands of pages down to 2. So within seconds it fills 2 pages and this keeps happening. Not sure how can we specify the severity level of syslog so that unwanted clutter does not obscure our view from the messages of interest. Looked under Local / System policy and there is no settings for syslog. Syslog is only available as alert for as action for Intrusion policies / advanced, but these are all locally generated system events.

Here is what I have repeatedly filling the log buffers:

Jan 13 2017 16:05:08 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:08 FirePower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/faillog -u admin
Jan 13 2017 16:05:08 FirePower sudo: pam_unix(sudo:session): session closed for user root
Jan 13 2017 16:05:08 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:08 FirePower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/sf/bin/cli_shadow -u admin
Jan 13 2017 16:05:04 FirePower sudo: pam_unix(sudo:session): session closed for user root
Jan 13 2017 16:05:04 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:04 FirePower sudo: www : TTY=unknown ; PWD=/var/sf/SRU ; USER=root ; COMMAND=/usr/bin/faillog -u admin
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session closed for user root
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:03 FirePower sudo: www : TTY=unknown ; PWD=/var/sf/SRU ; USER=root ; COMMAND=/usr/local/sf/bin/cli_shadow -u admin
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session closed for user root
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:03 FirePower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/faillog -u admin
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session closed for user root
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:03 FirePower sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/sf/bin/cli_shadow -u admin
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session closed for user root
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:03 FirePower sudo: www : TTY=unknown ; PWD=/var/sf/SRU ; USER=root ; COMMAND=/usr/bin/faillog -u admin
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session closed for user root
Jan 13 2017 16:05:03 FirePower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 13 2017 16:05:03 FirePower sudo: www : TTY=unknown ; PWD=/var/sf/SRU ; USER=root ; COMMAND=/usr/local/sf/bin/cli_shadow -u admin

alfie.amarillento
Level 1
Level 1
In response to Devinder Sharma

‎09-14-2018 03:38 AM

tried the above command for ASA5508X. messages command not valid. Any help on how clear the syslogs using cli?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card