Solved: RSyslog cannot parse timestamps from ASA Syslog

Ronit Bhattacharjee · ‎07-11-2023

We use Rsyslog and LogAnalyzer as our Syslog collector. All our routers/switches/firewalls send Syslogs to Rsyslog. We would like timestamps in the log payload and this works fine for routers and switches, but Rsyslog cannot recognise the timestamp of the logs sent by Cisco ASA.

Here's the difference

Router

Firewall

Using packet captures, we can see that the firewall is indeed sending timestamps in the UDP message, but the format is different from the router and that may explain why Rsyslog is not able to parse it.

Is this known behaviour? Any way to get the firewall to send the timestamps in the same format as the router?

Ronit Bhattacharjee · ‎07-11-2023

Yes, applying the command enables timestamps in the pcap, but they are still not recognisable by Rsyslog. The solution was to add "format emblem" at the end of each syslog host. Now the timestamps are recognisable by Rsyslog.

View solution in original post

Aref Alsouqi · ‎07-11-2023

Did you apply the "logging timestamp" command on the ASA?

Ronit Bhattacharjee · ‎07-11-2023

Yes, applying the command enables timestamps in the pcap, but they are still not recognisable by Rsyslog. The solution was to add "format emblem" at the end of each syslog host. Now the timestamps are recognisable by Rsyslog.

MHM Cisco World · ‎07-11-2023

Thanks for update us and share solution.