12-01-2015 02:36 PM - edited 03-11-2019 11:58 PM
Hello All,
I'm hoping for some help in debugging a problem with the syslogs from our ASA device. We're missing data. A _lot_ of data. I'll say up front that I am not the administrator of the ASA device (I'm the consumer of the log data) but our local admin team has run out of ideas, so I thought I'd bring it to the community.
Our ASA device logs to three different machines (it's meant to be 2, but we're transitioning one to a new host and have it temporarily doing all 3 while I test the data integrity.) By pulling a 2-hour block of data from all 3 machines and comparing what is present in each log, I appear to be getting about 77% of the entries on two of the machines (logging via tcp), and 70% of the entries on the third (logging via udp.) Each machine gets a very different collection of data - statistically consistent with it being a random sample. Two of the machines are hardware devices; the other is a virtual machine. None of the three appears to be particularly overloaded CPU-wise or on the network (running about 5Mbps on a 100Mbps network). The virtual machine is running the latest stable rsyslog, as I wanted to eliminate that as a bottleneck. Our network guys tell me that the logging config on the ASA device looks like:
Syslog logging: enabled Facility: 23 Timestamp logging: enabled Hide Username logging: enabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: level warnings, 324455744 messages logged Buffer logging: level notifications, 2408158686 messages logged Trap logging: level notifications, facility 23, 9112963408 messages logged Logging to inside <machine 1 redacted> Logging to inside <machine 2 redacted> tcp/1470 Connected Logging to inside <machine 3 redacted> tcp/1470 Connected Permit-hostdown logging: enabled History logging: disabled Device ID: context name "internet" Mail logging: disabled ASDM logging: level debugging, 4093093239 messages logged
I appreciate any suggestions, and thanks for your time,
- rob.
12-01-2015 07:17 PM
Hi,
Could be that your firewall is logging faster than it can send to the hosts. what is the logging queue? You can get this via the following command:
show logging queue
Thanks
John
12-02-2015 08:07 AM
Thanks for the quick reply! Our network guys report the queue not looking backed up:
sh logg que Logging Queue length limit : 8192 msg(s) 0 msg(s) discarded due to queue overflow 0 msg(s) discarded due to memory allocation failure Current 1 msg on queue, 512 msgs most on queue We checked that before and we have never seen discarded messages…
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide