cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10187
Views
5
Helpful
5
Comments
Vibhor Amrodia
Cisco Employee
Cisco Employee

     

     

    Introduction

    This document describes the TCP Syslog configuration on the ASA device.

    Detailed information

    As per RFC 6587 , ASA uses a TCP connection to send Syslog messages  on the Syslog Server. Like most other protocols, the syslog transport  sender is the TCP host that initiates the TCP session. After initiation,  messages are sent from the transport sender to the transport receiver.  No application-level data is transmitted from the transport receiver to  the transport sender.

    The roles of transport sender and receiver seem to be fixed once the  session is established. When it has been observed, if an error occurs  that cannot be corrected by TCP, the host detecting the error gracefully  closes the TCP session. There have been no application-level messages  seen that were sent to notify the other host about the state of the host  syslog application.

    RFC

    http://tools.ietf.org/html/rfc6587#

    Configuration on ASA

    1) logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem] [permit-hostdown]

    The tcp[/port] or udp[/port] argument specifies that the ASA should use TCP or UDP to send syslog messages to the syslog server.

    The permit-hostdown keyword allows TCP logging to continue when the syslog server is down.  You can configure the ASA to send data to a syslog server using either  UDP or TCP, but not both. The default TCP port is 1470.

    2) logging trap {severity_level | message_list}

    Specifies which syslog messages should be sent to the syslog server. You can specify the severity level number (0 through 7) or name.

    3) (Optional)

    logging facility number

    Sets the logging facility to a value other than the default of 20, which is what most UNIX systems expect.

    4) logging queue queue_size (Optional)

    The number of syslog messages permitted in the  queue used for storing syslog messages before processing them. Valid  values are from 0 to 8192 messages, depending on the platform type. If  the logging queue is set to zero, the queue will be the maximum  configurable size (8192 messages), depending on the platform.

    On the ASA-5505, the maximum queue size is 1024.

    On the ASA-5510, it is 2048, and on all other platforms, it is 8192 .

    Syslog messages are queued up on the ASA till  the configured as I suggested in my previous email. According to the  following excerpt from the Section 4 of the above RFC "TCP  decides when enough data has been received from the application to form a  segment for transmission.  This may be adjusted through timers and  certain other features".

    To summarize the connections from the  ASA to the syslog server are short lived because ASA creates TCP  connection to the syslog server only when it has enough data to be sent  to the syslog server and once it is sent it will close the connection.  Also at the time the connection is closing there will be some messages  which will be missed and so we see a syslog message loss for  approximately 1 minute.

    5) logging permit-hostdown

    To make the status of a TCP-based syslog server irrelevant to new user sessions, use the logging permit-hostdown command in global configuration mode.

    By default, if you have  enabled logging to a syslog server that uses a TCP connection, the ASA  does not allow new network access sessions when the syslog server is  unavailable for any reason.

     

    Hope this Helps!!

    Comments
    Tanveer Dewan
    Level 1
    Level 1

    When you say 'the ASA  does not allow new network access sessions' functionality.in the ASA, what sessions are you talking about? Or am i missing something?

    Taisuke Nakamura
    Cisco Employee
    Cisco Employee

    Hello Tanveer,

    The ASA blocks new connections until the TCP syslog server becomes available again. For example, VPN, firewall, and cut-through-proxy connections.

    Tanveer Dewan
    Level 1
    Level 1

    Thanks!

    Erjol Bane
    Level 1
    Level 1

    hi,

    and if I use UDP connection, does it still block new connections?

    thanks.

    Rick Rowe
    Level 1
    Level 1

    The udp 514 for syslog is connectionless so it wont know if the dest is there or not.

    fyi..

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: