Cisco ASA logging to remote syslog question

ciscocisco-asafirewallNetworksyslog

I have Cisco ASA and i have setup graylog logging server and i am seeing no logs coming on remote syslog so this is what i did..

Current config:

asa-fw1-010101-2-7/pri/act(config)# show run logging
logging enable
logging timestamp
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm errors
logging device-id hostname
logging host inside 10.30.0.91

If i run this command to see how many logs generated by ASA

asa-fw1-010101-2-7/pri/act(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Hide Username logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: level debugging, 467629 messages logged
    Buffer logging: level debugging, 3108298794 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: hostname "asa-fw1-010101-2-7"
    Mail logging: disabled
    ASDM logging: level errors, 298891 messages logged

If you noticed in following two line from above output, this number growing faster, look like thousands of logs getting logs..

Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged

Is it safe to that ASA generating that many logs.. look like every single packet getting log in buffer..

I have set logging buffered debugging because before it was informational

If i set logging trap debugging in its flooding syslog mesg and i am seeing 192k/s logs coming on my graylog server…

What is the best practice on ASA for logging? my conn count is following..

20776 in use, 248156 most used

Best Answer

The "debugging" level is way too detailed for most uses. As you can see, it generates a lot of messages; most are not helpful. Also, it puts a heavy load on the ASA. You can try

logging trap info

logging trap warning

to see which one gives you the information you need.

General Logging

To log IPSec events, you will want to run the following commands:

logging enable
logging emblem ! (optional for Cisco's emblem format)
logging timestamp
logging buffered notifications

Some of these commands will already be on your ASA as you're sending your buffered log to an FTP server. I won't include the FTP commands due to this. Then you will want to look for the specific codes you're interested in, in the log on the FTP server.

Example IPSec L2L disconnect message:

%ASA-4-113019: Group = 202.XXX.YYY.ZZZ, Username = 202.XXX.YYY.ZZZ, IP = 202.XXX.YYY.ZZZ, Session disconnected. Session Type: LAN-to-LAN, Duration: 1d 1h:13m:46s, Bytes xmt: 372142455, Bytes rcv: 384146009, Reason: Lost Service

Emailed Notifications

First create your list of events you want to catch.

Catch All IPSec List

logging list IPSec_Notifications level notification class vpn

Specific Event List

logging list IPSec_Notifications message 113019
! Replace XXXXXX with next code
logging list IPSec_Notifications message XXXXXX
! Repeat for the rest of the codes you're interested in

Now setup the email settings.

logging mail IPSec_Notifications
logging from-address your-from-address@your-domain.com
logging recipient-address who-should-receive-emails@your-domain.com level notifications
smtp-server X.X.X.X ! Replace with your SMTP server IP

Notes

All of the logging above is limited to notifications and higher level (i.e. level 5, 4, 3, 2 and 1). If you find a code of a lower level, you will need to replace level notifications with level informational or level debugging.

The example event above (ASA-4-113019) is level warnings which you can see from the ASA-4 prefix on the event.

Cisco ASA 5505 stop passing traffic randomly

The issue has been resolved! I have tried to analyze non-working hosts ARP tables and found ASA's MAC address change. Decreased ASA's log verbosity to Warning level, rebooted it and got a message during boot

IP address collision detected between host 192.168.0.1 at f80f.4197.a18d and interface inside

So found host with the MAC noted. Despite it has different IP address and it is separate point to investigate, host's disconnection immediately resolves the issue.

Best Answer

Related Solutions

ASA Logging – Logging IPSec on Cisco ASA

General Logging

Emailed Notifications

Notes

Cisco ASA 5505 stop passing traffic randomly

Related Topic