I have Cisco ASA and i have setup graylog
logging server and i am seeing no logs coming on remote syslog so this is what i did..
Current config:
asa-fw1-010101-2-7/pri/act(config)# show run logging
logging enable
logging timestamp
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm errors
logging device-id hostname
logging host inside 10.30.0.91
If i run this command to see how many logs generated by ASA
asa-fw1-010101-2-7/pri/act(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: hostname "asa-fw1-010101-2-7"
Mail logging: disabled
ASDM logging: level errors, 298891 messages logged
If you noticed in following two line from above output, this number growing faster, look like thousands of logs getting logs..
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Is it safe to that ASA generating that many logs.. look like every single packet getting log in buffer..
I have set logging buffered debugging
because before it was informational
If i set logging trap debugging
in its flooding syslog mesg and i am seeing 192k/s logs coming on my graylog server…
What is the best practice on ASA for logging? my conn count is following..
20776 in use, 248156 most used
Best Answer
The "debugging" level is way too detailed for most uses. As you can see, it generates a lot of messages; most are not helpful. Also, it puts a heavy load on the ASA. You can try
or
to see which one gives you the information you need.