Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
15
Helpful
6
Replies

Cisco ASA 5525-x - Difference in syslog message format

Go to solution
rraj1788
Level 1
Level 1

‎10-13-2022 02:29 AM

Hi Folks,

An ASA 5525-x is logging to a syslog server where the log format seems to differ from the ideal ASA log format as follows -

%ASA Level Message_number: Message_text

 We observe a slight difference in the format where an additional piece of info (Highlighted in the log sample) is added to the payload shown below. Kindly help me with the changes that I am supposed to do in the existing syslog configuration to make the ASA log like (Oct 12 18:56:52 UTC: %ASA-6-302016: Teardown UDP...)

Oct 12 18:56:52 UTC: %ASA-session-6-302016: Teardown UDP connection 17642454 for outside:192.168.20.21/588(LOCAL\wil) to inside:172.16.11.2/53 duration 0:00:00 bytes 116 (wil)\0x0a

Thank you in advance.

Regards.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎10-15-2022 01:09 PM - edited ‎10-15-2022 01:39 PM

give your remote onside person this configuration and test them

 

logging enable
logging timestamp
logging buffer-size 12428800
logging monitor emergencies
logging buffered debugging
logging trap debugging
logging history notifications
logging asdm informational
logging facility 23
logging host inside x.x.x.x
logging debug-trace
logging permit-hostdown

 

i have tested them  on kiwi syslog server and they show up like this

 

2022-10-15 18:10:07	Local7.Warning	x.x.x.x	Oct 15 18:10:31 GMT/BDT: %ASA-4-106023: Deny udp src wwwww:a.a.a.a/161 dst SOMEWHERE:B.B.B.B/53962 by access-group "SOMEWHERE_access_out" [0x938c6192, 0x0]

 

 

please do not forget to rate.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-13-2022 02:33 AM

i do not believe you can change that, until unless you looking to rewrite the logs in syslog server (which i do not recommend).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
rraj1788
Level 1
Level 1
In response to balaji.bandi

‎10-13-2022 02:56 AM

But as per all Cisco's documentation the same event log is explained as
below -

302016

Error Message %ASA-6-302016: Teardown UDP connection number for interface :
real-address /real-port [(idfw_user )] to interface :real-address /
real-port [(idfw_user )] duration hh :mm :ss bytes bytes [(user )]


0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to rraj1788

‎10-13-2022 03:06 AM

yes but log id same, but format changed.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to rraj1788

‎10-13-2022 03:10 AM

https://www.ciscopress.com/articles/article.asp?p=424447&seqNum=2

there is EMBLEM log format, please check link above for more detail. 

 

Go to solution
rraj1788
Level 1
Level 1
In response to MHM Cisco World

‎10-14-2022 03:07 AM

Hi @MHM Cisco World ,

The article was really helpful but since I don't have direct access to ASA and I have to recommend the procedure to someone sitting onsite. I have to be very specific with the procedure to make it log in the ideal format.

So, if I turn off the emblem format in syslog servers setting will the additional keyword (Message class as per the article) vanish from the payload.

I might sound demanding but please don't mind it.

Regards.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎10-15-2022 01:09 PM - edited ‎10-15-2022 01:39 PM

give your remote onside person this configuration and test them

 

logging enable
logging timestamp
logging buffer-size 12428800
logging monitor emergencies
logging buffered debugging
logging trap debugging
logging history notifications
logging asdm informational
logging facility 23
logging host inside x.x.x.x
logging debug-trace
logging permit-hostdown

 

i have tested them  on kiwi syslog server and they show up like this

 

2022-10-15 18:10:07	Local7.Warning	x.x.x.x	Oct 15 18:10:31 GMT/BDT: %ASA-4-106023: Deny udp src wwwww:a.a.a.a/161 dst SOMEWHERE:B.B.B.B/53962 by access-group "SOMEWHERE_access_out" [0x938c6192, 0x0]

 

 

please do not forget to rate.
Customers Also Viewed These Support Documents