cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2518
Views
0
Helpful
3
Replies

Syslog best practices

WStoffel1
Level 1
Level 1

We need to have our syslog server facing the internet to aid in troubleshooting clients.  And it's random when I'd need it and I'd rather not be going back to the firewall and opening the port while i need it, shut it down later, open it again, and so on.

those with public facing syslog servers, what do you do?  just open up udp514 and hope for the best?

thanks for some input.

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

We if we are talking about ASA firewall then I guess you can always create an ACL rule for all the customers that you might need to open up the Syslog traffic for. When you dont need to have those ports open on the ASA then you can turn them "inactive" either trought the ASDM or CLI and leave the actual rules to the configuration.

Naturally if you are sending Syslog through the Internet you might want to consider perhaps even building a L2L VPN connection between your site and the customer site and tunneling their Syslog traffic through that L2L VPN connection. I have for example a couple of times configured L2L VPN between an ASA and one of our VPN gateway so that the remote customer ASA can sends its own Syslogs through the L2L VPN connection.

Then I guess you might want to consider configuring the Syslog to use TCP instead of UDP on the ASA. In this case I would recommend using "logging permit-hostdown" command since if you dont have it configured on an ASA and enable TCP Syslogging which for some reason isnt able to contact the Syslog server then ALL traffic through the ASA will be blocked. And you probably wont want that.

I am not sure if there is any convinien way to manage the rules either than maybe handle setting them "active" or "inactive" through the ASDM. I would imagine in this case the managing of those rules would be faster and more convinient through ASDM even though I personally do all ACL configurations through the CLI

Hope this helps

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

We if we are talking about ASA firewall then I guess you can always create an ACL rule for all the customers that you might need to open up the Syslog traffic for. When you dont need to have those ports open on the ASA then you can turn them "inactive" either trought the ASDM or CLI and leave the actual rules to the configuration.

Naturally if you are sending Syslog through the Internet you might want to consider perhaps even building a L2L VPN connection between your site and the customer site and tunneling their Syslog traffic through that L2L VPN connection. I have for example a couple of times configured L2L VPN between an ASA and one of our VPN gateway so that the remote customer ASA can sends its own Syslogs through the L2L VPN connection.

Then I guess you might want to consider configuring the Syslog to use TCP instead of UDP on the ASA. In this case I would recommend using "logging permit-hostdown" command since if you dont have it configured on an ASA and enable TCP Syslogging which for some reason isnt able to contact the Syslog server then ALL traffic through the ASA will be blocked. And you probably wont want that.

I am not sure if there is any convinien way to manage the rules either than maybe handle setting them "active" or "inactive" through the ASDM. I would imagine in this case the managing of those rules would be faster and more convinient through ASDM even though I personally do all ACL configurations through the CLI

Hope this helps

- Jouni

As always, thanks for the insightful help!

Hi,

Glad if it was of some help

Please do take the time to either mark the reply as the correct answer IF it answered your question. Or rate helpfull answers.

- Jouni

Review Cisco Networking for a $25 gift card