10-06-2016 08:02 AM - edited 03-12-2019 01:21 AM
10-06-2016 04:31 PM
ASDM can only see the limited buffer of near real time events.You can increase the buffer size a bit but it's still limited. You can also store some log messages locally
You can set a host to send syslog messages. That's the normal path people take if they want retrospective log analysis capability.
Here are the logging settings from one of my ASAs. I've highlighted the minimum you would need to send off to a remote server:
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging buffered notifications
logging trap warnings
logging asdm notifications
logging device-id hostname
logging host inside <syslog server address>
I also filter out a bunch I don't need on the syslog server or anywhere else and bump up one I do want that I wouldn't normally get as a warning level message. Something like:
no logging message 302020
logging message 622001 level warnings
(That last one tells me my ip sla operation tracking caused my backup default route to flip to the backup ISP.)
10-07-2016 07:45 AM
Hi Marvin, thanks
The configuration above is used to configure a syslog server, ritgh? I would to try first using a FTP server.
The configuration that I used on ASDM was:
Configuration > Devices Managment > Logging > Logging Setup > Enable logging
I specified the buffer size: 4096 bytes. Which size is the best recomendation?
In save buffer, I enabled FTP server and filled all the parameters.
It showed a warning that I have to adjust the buffered logging level.
However, it is sending anything to the FTP server. I have reachability to the FTP server from my ASA. So, I don't know if I'm missing something.
Do you know what is the problem?
10-08-2016 10:04 PM
When you set an ftp server for logging, it only gets a set of log messages when the internal buffer is full. It won't get a file every time a syslog message happens - that would be infeasible to establish a TCP session, logging via ftp and then send a file per message.
The buffer size you use depends in part how many messages you are generating which can be moderated by making the severity threshold more or less high priority. For instance, if you have lugging buffered information, you will get several syslog messages for every session or flow (tcp or udp) through the firewall. That can results in tens of thousand of message per hour. If on the other hand you are only logging error messages or higher, you may get very few messages.
Cisco typically recommends Warning level (Severity 4) as a default. Include lower severity levels (Notification, Informational or Debugging) only for troubleshooting purposes. If there's a specific message at one of those lower level you want to see without all the other messages at that level, you can customize the severity of an individual message so that it shows up at a higher severity level. I do this sometimes for VPN authentications.
For a great session on ASA syslog as a tool, please have a listen to this TAC Security podcast episode:
https://supportforums.cisco.com/document/133286/tac-security-podcast-%C3%ABpisode-32-investigating-syslogs-tips-and-tricks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: