Solved: Re: remote log viewing

lcaruso · ‎01-05-2011

I've been researching what my options are for capturing logs remotely. Any comments are appreciated.

1. Syslog to a syslog server in cleartext over the internet is out for obvious security reasons.

2. Site to Site vpn to a syslog server is possible, but some clients won't allow this and it is a lot of overhead.

3. Client based or clientless vpn is possible, but also a certain amount of work to setup.

4. A local syslog server which ftps daily files to a remote system or allows access through the ASA

5. I wonder if anyone agrees with this: It would seem a very nice and logical enhancement for the asdm log viewer would be to allow it to write to a file, especially since the processing is on a local machine.

Jennifer Halim · ‎01-05-2011

You can actually configure "buffered" logging (ie: logging in the ASA buffer), and save a copy of the logs to either flash or ftp server before the logs are wrapped. Please find ASDM configuration section attached.

You are absolutely correct with your Option 1, 2 and 3.

Option 4 would probably be the best option.

Option 5 can be achieved through the logging buffered advised earlier.

Hope that helps.

View solution in original post

Kureli Sankar · ‎01-11-2011

Yes, you got to be careful with tcp syslogging through. If the logging server goes down for some reason, NO NEW connections will be built to go through the firewall, unless you add the command "logging permit-hostdown" command.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773624

-KS

View solution in original post

Jennifer Halim · ‎01-05-2011

You can actually configure "buffered" logging (ie: logging in the ASA buffer), and save a copy of the logs to either flash or ftp server before the logs are wrapped. Please find ASDM configuration section attached.

You are absolutely correct with your Option 1, 2 and 3.

Option 4 would probably be the best option.

Option 5 can be achieved through the logging buffered advised earlier.

Hope that helps.

lcaruso · ‎01-05-2011

Thanks for pointing that out. Would the ftp option use distinct file names if I had several ASA's ftp-ing my server?

I still think the real-time log viewer should have an option to write continuously to disk. How can I request that enhancement?

I mean, for most purposes, there seems to be three categories of log capturing required:

1. spot checks that can be caught as something scrolls by and pausing the log viewer

2. periods of several hours or a whole day, but not 24 hours continuous

3. Everything 24x7x365

If the the real time log viewer could log to disk, category #2 is covered far more easily than using ftp. You simply connect and let the viewer run and log instead of having to concatenate ftp files together and the work with that.

Jennifer Halim · ‎01-05-2011

Yes, you can create multiple folder on your FTP server, and ftp different ASAs to different folders for the distinction. Please find the attached ASDM screenshot where you can configure the path.

For enhancement request, please kindly get in touch with your Cisco Account Manager, or if you purchase the ASA from reseller/partner, then they can request for the enhancement on your behalf to their Cisco Account Manager.

lcaruso · ‎01-11-2011

It looks like there are other options: TLS and SSL syslog over TCP.

I missed that the first time.

Kureli Sankar · ‎01-11-2011

Yes, you got to be careful with tcp syslogging through. If the logging server goes down for some reason, NO NEW connections will be built to go through the firewall, unless you add the command "logging permit-hostdown" command.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773624

-KS

lcaruso · ‎01-11-2011

That would be bad to overlook. I did see that at the bottom of the asdm screen. Thanks.