10-13-2022 02:29 AM
Hi Folks,
An ASA 5525-x is logging to a syslog server where the log format seems to differ from the ideal ASA log format as follows -
%ASA Level Message_number: Message_text
We observe a slight difference in the format where an additional piece of info (Highlighted in the log sample) is added to the payload shown below. Kindly help me with the changes that I am supposed to do in the existing syslog configuration to make the ASA log like (Oct 12 18:56:52 UTC: %ASA-6-302016: Teardown UDP...)
Oct 12 18:56:52 UTC: %ASA-session-6-302016: Teardown UDP connection 17642454 for outside:192.168.20.21/588(LOCAL\wil) to inside:172.16.11.2/53 duration 0:00:00 bytes 116 (wil)\0x0a
Thank you in advance.
Regards.
Solved! Go to Solution.
10-13-2022 03:10 AM
https://www.ciscopress.com/articles/article.asp?p=424447&seqNum=2
there is EMBLEM log format, please check link above for more detail.
10-15-2022 01:09 PM - edited 10-15-2022 01:39 PM
give your remote onside person this configuration and test them
logging enable
logging timestamp
logging buffer-size 12428800
logging monitor emergencies
logging buffered debugging
logging trap debugging
logging history notifications
logging asdm informational
logging facility 23
logging host inside x.x.x.x
logging debug-trace
logging permit-hostdown
i have tested them on kiwi syslog server and they show up like this
2022-10-15 18:10:07 Local7.Warning x.x.x.x Oct 15 18:10:31 GMT/BDT: %ASA-4-106023: Deny udp src wwwww:a.a.a.a/161 dst SOMEWHERE:B.B.B.B/53962 by access-group "SOMEWHERE_access_out" [0x938c6192, 0x0]
10-13-2022 02:33 AM
i do not believe you can change that, until unless you looking to rewrite the logs in syslog server (which i do not recommend).
10-13-2022 02:56 AM
10-13-2022 03:06 AM
yes but log id same, but format changed.
10-13-2022 03:10 AM
https://www.ciscopress.com/articles/article.asp?p=424447&seqNum=2
there is EMBLEM log format, please check link above for more detail.
10-14-2022 03:07 AM
Hi @MHM Cisco World ,
The article was really helpful but since I don't have direct access to ASA and I have to recommend the procedure to someone sitting onsite. I have to be very specific with the procedure to make it log in the ideal format.
So, if I turn off the emblem format in syslog servers setting will the additional keyword (Message class as per the article) vanish from the payload.
I might sound demanding but please don't mind it.
Regards.
10-15-2022 01:09 PM - edited 10-15-2022 01:39 PM
give your remote onside person this configuration and test them
logging enable
logging timestamp
logging buffer-size 12428800
logging monitor emergencies
logging buffered debugging
logging trap debugging
logging history notifications
logging asdm informational
logging facility 23
logging host inside x.x.x.x
logging debug-trace
logging permit-hostdown
i have tested them on kiwi syslog server and they show up like this
2022-10-15 18:10:07 Local7.Warning x.x.x.x Oct 15 18:10:31 GMT/BDT: %ASA-4-106023: Deny udp src wwwww:a.a.a.a/161 dst SOMEWHERE:B.B.B.B/53962 by access-group "SOMEWHERE_access_out" [0x938c6192, 0x0]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide