I have an ASA5520 that is set up to send logs to a splunk syslog server. the setup works for a while, usually around 24 hours or so, but then stops until either the logging is reconfigured (twiddling the ports) or the ASA is restarted.
what should i be looking at to resolve this issue? im not sure if its the splunk syslog daemon ignoring connections or the ASA that gets messed up and stops sending.
id like to enable the 'dont pass traffic without logging working' option, but without a stable connection to syslog, thats a non starter.
tried so far:
TCP and UDP, different ports, changing the logging level
Best Answer
Put a packet sniffer on the Splunk host, set up a capture filter to capture only packets that originate from the ASA, start a capture, when splunk stops "seeing" data from the ASA look at the capture and see if traffic is still coming in from the ASA, if it is then the problem is with Splunk, if it's not then the problem is with the ASA or the network between the two.