03-06-2014 02:04 PM - edited 03-08-2019 06:54 PM
This document describes the TCP Syslog configuration on the ASA device.
As per RFC 6587 , ASA uses a TCP connection to send Syslog messages on the Syslog Server. Like most other protocols, the syslog transport sender is the TCP host that initiates the TCP session. After initiation, messages are sent from the transport sender to the transport receiver. No application-level data is transmitted from the transport receiver to the transport sender.
The roles of transport sender and receiver seem to be fixed once the session is established. When it has been observed, if an error occurs that cannot be corrected by TCP, the host detecting the error gracefully closes the TCP session. There have been no application-level messages seen that were sent to notify the other host about the state of the host syslog application.
http://tools.ietf.org/html/rfc6587#
1) logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem] [permit-hostdown]
The tcp[/port] or udp[/port] argument specifies that the ASA should use TCP or UDP to send syslog messages to the syslog server.
The permit-hostdown keyword allows TCP logging to continue when the syslog server is down. You can configure the ASA to send data to a syslog server using either UDP or TCP, but not both. The default TCP port is 1470.
2) logging trap {severity_level | message_list}
Specifies which syslog messages should be sent to the syslog server. You can specify the severity level number (0 through 7) or name.
3) (Optional)
logging facility number
Sets the logging facility to a value other than the default of 20, which is what most UNIX systems expect.
4) logging queue queue_size (Optional)
The number of syslog messages permitted in the queue used for storing syslog messages before processing them. Valid values are from 0 to 8192 messages, depending on the platform type. If the logging queue is set to zero, the queue will be the maximum configurable size (8192 messages), depending on the platform.
On the ASA-5505, the maximum queue size is 1024.
On the ASA-5510, it is 2048, and on all other platforms, it is 8192 .
Syslog messages are queued up on the ASA till the configured as I suggested in my previous email. According to the following excerpt from the Section 4 of the above RFC "TCP decides when enough data has been received from the application to form a segment for transmission. This may be adjusted through timers and certain other features".
To summarize the connections from the ASA to the syslog server are short lived because ASA creates TCP connection to the syslog server only when it has enough data to be sent to the syslog server and once it is sent it will close the connection. Also at the time the connection is closing there will be some messages which will be missed and so we see a syslog message loss for approximately 1 minute.
5) logging permit-hostdown
To make the status of a TCP-based syslog server irrelevant to new user sessions, use the logging permit-hostdown command in global configuration mode.
By default, if you have enabled logging to a syslog server that uses a TCP connection, the ASA does not allow new network access sessions when the syslog server is unavailable for any reason.
Hope this Helps!!
When you say 'the ASA does not allow new network access sessions' functionality.in the ASA, what sessions are you talking about? Or am i missing something?
Hello Tanveer,
The ASA blocks new connections until the TCP syslog server becomes available again. For example, VPN, firewall, and cut-through-proxy connections.
Thanks!
hi,
and if I use UDP connection, does it still block new connections?
thanks.
The udp 514 for syslog is connectionless so it wont know if the dest is there or not.
fyi..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: