03-31-2013 05:27 AM - edited 03-11-2019 06:21 PM
Hi
I have a quite small but oh so irritating problem.
I can not use the Syslog In the ASA, or rather it is not possible to use it due to constraint in its design.
What do I want to do that is so out of the ordinary ?
I would like to have 2 syslog places to send to, One for only the logging regarding Link down, Failover, ACL drops, and all the day to day operational data.
The other part is that I ALSO at the same time would like to be able to log all traffic passing the ASA device.
Well says the ASA Operator, thats no problem just set up two Syslog servers and log to both.
Well yes and no and this is where it gets tricky.
The information that I collect from the ASA if I set it up for the second scenario ie "log all traffic passing" will be way to sensitive (accounts and personal information and all that) to be allowed to the Network monitoring system for all and everyone who is running that system to see.
However if I set up the syslog to function in scenario 1 ie to log to the network monitor station then that would not provide nearly enough information to be of any use incase there is a breach and we need to trace what have happened.
So The needs of the second outweigths the first and thus I am stuck with only logging everything.
To add to this conundrum the sysloginformation is going down a "black hole vault" that will not let any traffic back so filtering the syslog in the syslog server and sending the filtered traffic to the network monitoring syslog is also out of the question. (This is due to tampering preventions).
So Dear Cisco Colleagues, this can not be the first time this have come up, can any of you help me with a good fix or maybe a feature request that it will be possible to use two different syslog servers with different values in the ASA ?
Banks, Government, Research and so on must request this often enough one would think ?
Any ideas anyone ?
If you have read this far thank you for your time and effort.
03-31-2013 10:38 AM
Helo,
You could create a logging class to send just specific messages to the first server and then log everything to the other server, of course you will need to secure the second server as much as possible so only certain users would be able to access it.
To add to this conundrum the sysloginformation is going down a "black hole vault" that will not let any traffic back so filtering the syslog in the syslog server and sending the filtered traffic to the network monitoring syslog is also out of the question. (This is due to tampering preventions).
Not sure what you mean here )but why do you mean it will not let any traffic back, the only scenario where logging to a server and the server going down wil cause all traffic across the ASA to fail would be if you are sending the Syslog information over a TCP connection, by default Syslog it will use UDP 514 if I am not mistaking so you should not worry for that.
Hope that I could help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide