Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
5
Helpful
2
Replies

Missing data in ASA syslogs

Rob.Moser1
Level 1
Level 1

‎12-01-2015 02:36 PM - edited ‎03-11-2019 11:58 PM

Hello All,

I'm hoping for some help in debugging a problem with the syslogs from our ASA device.  We're missing data.  A _lot_ of data.  I'll say up front that I am not the administrator of the ASA device (I'm the consumer of the log data) but our local admin team has run out of ideas, so I thought I'd bring it to the community.

Our ASA device logs to three different machines (it's meant to be 2, but we're transitioning one to a new host and have it temporarily doing all 3 while I test the data integrity.)  By pulling a 2-hour block of data from all 3 machines and comparing what is present in each log, I appear to be getting about 77% of the entries on two of the machines (logging via tcp), and 70% of the entries on the third (logging via udp.)  Each machine gets a very different collection of data - statistically consistent with it being a random sample.  Two of the machines are hardware devices; the other is a virtual machine.  None of the three appears to be particularly overloaded CPU-wise or on the network (running about 5Mbps on a 100Mbps network).  The virtual machine is running the latest stable rsyslog, as I wanted to eliminate that as a bottleneck.  Our network guys tell me that the logging config on the ASA device looks like:

Syslog logging: enabled
    Facility: 23
    Timestamp logging: enabled
    Hide Username logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: level warnings, 324455744 messages logged
    Buffer logging: level notifications, 2408158686 messages logged
    Trap logging: level notifications, facility 23, 9112963408 messages logged
        Logging to inside <machine 1 redacted>
        Logging to inside <machine 2 redacted> tcp/1470 Connected
        Logging to inside <machine 3 redacted> tcp/1470 Connected
    Permit-hostdown logging: enabled
    History logging: disabled
    Device ID: context name "internet"
    Mail logging: disabled
    ASDM logging: level debugging, 4093093239 messages logged

  1. Do you see anything obviously wrong with that logging config?
  2. Is there a way that we can reset those statistics, so I can see a count of the messages the device thinks it is sending out for a given period?
  3. Are there errors I could look for in the logs themselves that might indicate problems transmitting the data?
  4. Any other ideas on where to look for what might be going wrong?

I appreciate any suggestions, and thanks for your time,

     - rob.

Labels:
0 Helpful
2 Replies 2

johnd2310
Level 8
Level 8

‎12-01-2015 07:17 PM

Hi,

Could be that your firewall is logging faster than it can send to the hosts. what is the logging queue? You can get this via the following command:

show logging queue

Thanks

John

**Please rate posts you find helpful**

Rob.Moser1
Level 1
Level 1
In response to johnd2310

‎12-02-2015 08:07 AM

Thanks for the quick reply! Our network guys report the queue not looking backed up:

sh logg que

        Logging Queue length limit : 8192 msg(s)
        0 msg(s) discarded due to queue overflow
        0 msg(s) discarded due to memory allocation failure
        Current 1 msg on queue, 512 msgs most on queue

We checked that before and we have never seen discarded messages…
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card