When you set an ftp server

Melsy_Alexandra · ‎10-06-2016

I'm new working with ASA. I don't know if someone can help me clarifying my doubt. The firewall is:

ASA 5510

IOS 9.0 (1)

ASDM v7.0 (2)

I want to know if there is a way to view logs generated days ago using ASDM. I know I can view it on the dashboard in real time, but I need to see past events. I think the only way it send them to a FTP server. How can I do that configuration in the ASA?

I will be very grateful guys if some of you help me with that.

Marvin Rhoads · ‎10-06-2016

ASDM can only see the limited buffer of near real time events.You can increase the buffer size a bit but it's still limited. You can also store some log messages locally

You can set a host to send syslog messages. That's the normal path people take if they want retrospective log analysis capability.

Here are the logging settings from one of my ASAs. I've highlighted the minimum you would need to send off to a remote server:

logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging buffered notifications
logging trap warnings
logging asdm notifications
logging device-id hostname
logging host inside <syslog server address>

I also filter out a bunch I don't need on the syslog server or anywhere else and bump up one I do want that I wouldn't normally get as a warning level message. Something like:

no logging message 302020
logging message 622001 level warnings

(That last one tells me my ip sla operation tracking caused my backup default route to flip to the backup ISP.)

Melsy_Alexandra · ‎10-07-2016

Hi Marvin, thanks

The configuration above is used to configure a syslog server, ritgh? I would to try first using a FTP server.

The configuration that I used on ASDM was:

Configuration > Devices Managment > Logging > Logging Setup > Enable logging

I specified the buffer size: 4096 bytes. Which size is the best recomendation?

In save buffer, I enabled FTP server and filled all the parameters.

It showed a warning that I have to adjust the buffered logging level.

However, it is sending anything to the FTP server. I have reachability to the FTP server from my ASA. So, I don't know if I'm missing something.

Do you know what is the problem?

Marvin Rhoads · ‎10-08-2016

When you set an ftp server for logging, it only gets a set of log messages when the internal buffer is full. It won't get a file every time a syslog message happens - that would be infeasible to establish a TCP session, logging via ftp and then send a file per message.

The buffer size you use depends in part how many messages you are generating which can be moderated by making the severity threshold more or less high priority. For instance, if you have lugging buffered information, you will get several syslog messages for every session or flow (tcp or udp) through the firewall. That can results in tens of thousand of message per hour. If on the other hand you are only logging error messages or higher, you may get very few messages.

Cisco typically recommends Warning level (Severity 4) as a default. Include lower severity levels (Notification, Informational or Debugging) only for troubleshooting purposes. If there's a specific message at one of those lower level you want to see without all the other messages at that level, you can customize the severity of an individual message so that it shows up at a higher severity level. I do this sometimes for VPN authentications.

For a great session on ASA syslog as a tool, please have a listen to this TAC Security podcast episode:

Episode 32 - Investigating Syslogs: Tips and Tricks

https://supportforums.cisco.com/document/133286/tac-security-podcast-%C3%ABpisode-32-investigating-syslogs-tips-and-tricks

How to view past logs in an ASA 5510

Episode 32 - Investigating Syslogs: Tips and Tricks