Re: Is too much syslog a DOS condition?

hoffa2000 · ‎01-03-2020

Hi all

I'd like to share something that's happened to me over the past months. At several occasions I've had ASA5525 with Firepower services and ASA5516s running FTD freeze up on me at least twice a month with 100% CPU and the DATAPATH process using it all despite the number of cores present in the hardware. Only way to restore operation was a complete restart of both HA units. I've had TAC involved in all cases gathering traffic, crash logs and all else needed without coming to any clear conclusion. I've had the freezes happen at both low traffic situation and during normal activity with our without Internet connectivity. Several different sites and network designs have been involved. In short, no clear clue which is awful.

One of the TAC engineers however got me thinking about or syslogging strategy which is basically "log everything to UDP 514". I have since reduced logging from debug level to informational and have also disabled some of the NAT events and redundant connection established events.

It has been two month now without a freeze event so I'm wondering, is this a thing? Is there a vulnerability in the Cisco ASA/FTD platform regarding syslogging?

Regards

Fredrik

Oleg Volkov · ‎01-03-2020

Debugging level of syslog generate very many message, informational level generate many message too. Do you really need this messages?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

hoffa2000 · ‎01-03-2020

Hi

Correct, debug logging might be a bit over the top but I need some of the informational level logs like denys, allows, and teardowns both for troubleshooting and possible forensics. If I had a penny for every time I had to prove an application being down and not the "firewall as the problem" by showing a TCP syn timeout or reset log message I'd be a rich man. Our Firepower management is virtual and thus lacks the capacity for long term storage which leaves me the only option of gathering syslogs, in my case I'm sending them to a graylog cluster. To my knowledge I haven't seen any advice regarding the syslog capacity of the platform and if it's the case too much causes a catastrophic failure I think it would behoove Cisco to at least mention it.

/Fredrik

Oleg Volkov · ‎01-03-2020

What software you use? (SIEM?)

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

hoffa2000 · ‎01-03-2020

Not really a SIEM. A Gralog cluster which is built on Elastic with a pretty good search function on top. There is some graphical analysis tools but text searches is the main feature for us.

/Fredrik

Oleg Volkov · ‎01-03-2020

You can change message level or/and use filter.
If you know what message you need. Please read about logging list and logging message, one of many materials is:
http://www.ciscopress.com/articles/article.asp?p=1755914&seqNum=5

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

balaji.bandi · ‎01-03-2020

Recommend to run Debug only when required, if you looking to run all the way, what is the requirement ?

as sugggested if you looking to have more Logs, offload to SYSLOG Server will be an good idea, so processing speed and filling the logs in FirePOWER also reduces, as you mentioned you already noticed that significant improvment.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help