Cisco ASA logging to remote syslog question
I have Cisco ASA and i have setup graylog logging server and i am seeing no logs coming on remote syslog so this is what i did..
Current config:
asa-fw1-010101-2-7/pri/act(config)# show run logging
logging enable
logging timestamp
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm errors
logging device-id hostname
logging host inside 10.30.0.91
If i run this command to see how many logs generated by ASA
asa-fw1-010101-2-7/pri/act(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: hostname "asa-fw1-010101-2-7"
Mail logging: disabled
ASDM logging: level errors, 298891 messages logged
If you noticed in following two line from above output, this number growing faster, look like thousands of logs getting logs..
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Is it safe to that ASA generating that many logs.. look like every single packet getting log in buffer..
I have set logging buffered debugging because before it was informational
If i set logging trap debugging in its flooding syslog mesg and i am seeing 192k/s logs coming on my graylog server...
What is the best practice on ASA for logging? my conn count is following..
20776 in use, 248156 most used
cisco cisco-asa firewall network syslog
asked 2 hours ago
Satish
1,4302154
add a comment |
I have Cisco ASA and i have setup graylog logging server and i am seeing no logs coming on remote syslog so this is what i did..
Current config:
asa-fw1-010101-2-7/pri/act(config)# show run logging
logging enable
logging timestamp
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm errors
logging device-id hostname
logging host inside 10.30.0.91
If i run this command to see how many logs generated by ASA
asa-fw1-010101-2-7/pri/act(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: hostname "asa-fw1-010101-2-7"
Mail logging: disabled
ASDM logging: level errors, 298891 messages logged
If you noticed in following two line from above output, this number growing faster, look like thousands of logs getting logs..
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Is it safe to that ASA generating that many logs.. look like every single packet getting log in buffer..
I have set logging buffered debugging because before it was informational
If i set logging trap debugging in its flooding syslog mesg and i am seeing 192k/s logs coming on my graylog server...
What is the best practice on ASA for logging? my conn count is following..
20776 in use, 248156 most used
cisco cisco-asa firewall network syslog
asked 2 hours ago
Satish
1,4302154
add a comment |
I have Cisco ASA and i have setup graylog logging server and i am seeing no logs coming on remote syslog so this is what i did..
Current config:
asa-fw1-010101-2-7/pri/act(config)# show run logging
logging enable
logging timestamp
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm errors
logging device-id hostname
logging host inside 10.30.0.91
If i run this command to see how many logs generated by ASA
asa-fw1-010101-2-7/pri/act(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: hostname "asa-fw1-010101-2-7"
Mail logging: disabled
ASDM logging: level errors, 298891 messages logged
If you noticed in following two line from above output, this number growing faster, look like thousands of logs getting logs..
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Is it safe to that ASA generating that many logs.. look like every single packet getting log in buffer..
I have set logging buffered debugging because before it was informational
If i set logging trap debugging in its flooding syslog mesg and i am seeing 192k/s logs coming on my graylog server...
What is the best practice on ASA for logging? my conn count is following..
20776 in use, 248156 most used
cisco cisco-asa firewall network syslog
asked 2 hours ago
Satish
1,4302154
I have Cisco ASA and i have setup graylog logging server and i am seeing no logs coming on remote syslog so this is what i did..
Current config:
asa-fw1-010101-2-7/pri/act(config)# show run logging
logging enable
logging timestamp
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm errors
logging device-id hostname
logging host inside 10.30.0.91
If i run this command to see how many logs generated by ASA
asa-fw1-010101-2-7/pri/act(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: hostname "asa-fw1-010101-2-7"
Mail logging: disabled
ASDM logging: level errors, 298891 messages logged
If you noticed in following two line from above output, this number growing faster, look like thousands of logs getting logs..
Monitor logging: level debugging, 467629 messages logged
Buffer logging: level debugging, 3108298794 messages logged
Is it safe to that ASA generating that many logs.. look like every single packet getting log in buffer..
I have set logging buffered debugging because before it was informational
If i set logging trap debugging in its flooding syslog mesg and i am seeing 192k/s logs coming on my graylog server...
What is the best practice on ASA for logging? my conn count is following..
20776 in use, 248156 most used
cisco cisco-asa firewall network syslog
cisco cisco-asa firewall network syslog
asked 2 hours ago
Satish
1,4302154
asked 2 hours ago
Satish
1,4302154
edited 2 hours ago
asked 2 hours ago
Satish
1,4302154
asked 2 hours ago
Satish
1,4302154
asked 2 hours ago
Satish
1,4302154
1,4302154
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
The "debugging" level is way too detailed for most uses. As you can see, it generates a lot of messages; most are not helpful. Also, it puts a heavy load on the ASA.
You can try
logging trap info
or
logging trap warning
to see which one gives you the information you need.
answered 2 hours ago
Ron Trunk
34k23070
I have tiredlogging trap info&logging trap warningand they are also flooding lots
– Satish
2 hours ago
You can log at a higher level, but you may not get the information you need. Your ASA is busy, and it generates lots of log messages. You either have to live with incomplete information or get more storage for your logs.
– Ron Trunk
2 hours ago
How aboutlogging buffered debugging? should i move it to informational?
– Satish
28 mins ago
add a comment |
Trap logging: disabled
That's the first problem. "trap" is the mechanism that sends to syslog hosts. logging trap informational will start messages flowing, but on an active firewall, there will a lot of messages. You can cut down the spew by increasing the logging level (info, warn, error, crit, etc.), or better, turn off the messages you don't want to see:
no logging message 715036 (disables: %PIX-7-715036 messages)
- or -logging message 715036 level 5 (moves id 715036 to 5 (notif)) (yes, at 7 (debug), it wouldn't be logged at 6 (info) anyway, but you get the idea.)
answered 26 mins ago
Ricky Beam
21.2k22861
add a comment |
My suggestion would be to try to partition the problem between:
- ASA not sending
- Packets not getting there
- Graylog not listening
My usual method is to aim the device's syslog at some laptop, without running any kind of logging software, just tcpdump on the appropriate ports. That will tell you if the devices is sending. Then send some syslog manually to the target loghost, see if they arrive. That should partition the problem and you'll know where the problem lies.
answered 2 hours ago
jonathanjo
10.4k1632
Graylog working fine, i have many host sending logs so its functional also if i run this command on ASA i am seeing 100,000/s logs per second on graylog coming from ASAlogging trap debuggingmay be my question title is wrong let me change it.. I want to understand is it safe to send 100k logs to syslog and if you see myshow loggingoutput you will notice its generating lots of logs so does it OK for ASA to generate that many logs for every single packet or connection?
– Satish
2 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "496"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55590%2fcisco-asa-logging-to-remote-syslog-question%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
The "debugging" level is way too detailed for most uses. As you can see, it generates a lot of messages; most are not helpful. Also, it puts a heavy load on the ASA.
You can try
logging trap info
or
logging trap warning
to see which one gives you the information you need.
answered 2 hours ago
Ron Trunk
34k23070
I have tiredlogging trap info&logging trap warningand they are also flooding lots
– Satish
2 hours ago
You can log at a higher level, but you may not get the information you need. Your ASA is busy, and it generates lots of log messages. You either have to live with incomplete information or get more storage for your logs.
– Ron Trunk
2 hours ago
How aboutlogging buffered debugging? should i move it to informational?
– Satish
28 mins ago
add a comment |
The "debugging" level is way too detailed for most uses. As you can see, it generates a lot of messages; most are not helpful. Also, it puts a heavy load on the ASA.
You can try
logging trap info
or
logging trap warning
to see which one gives you the information you need.
answered 2 hours ago
Ron Trunk
34k23070
I have tiredlogging trap info&logging trap warningand they are also flooding lots
– Satish
2 hours ago
You can log at a higher level, but you may not get the information you need. Your ASA is busy, and it generates lots of log messages. You either have to live with incomplete information or get more storage for your logs.
– Ron Trunk
2 hours ago
How aboutlogging buffered debugging? should i move it to informational?
– Satish
28 mins ago
add a comment |
The "debugging" level is way too detailed for most uses. As you can see, it generates a lot of messages; most are not helpful. Also, it puts a heavy load on the ASA.
You can try
logging trap info
or
logging trap warning
to see which one gives you the information you need.
answered 2 hours ago
Ron Trunk
34k23070
The "debugging" level is way too detailed for most uses. As you can see, it generates a lot of messages; most are not helpful. Also, it puts a heavy load on the ASA.
You can try
logging trap info
or
logging trap warning
to see which one gives you the information you need.
answered 2 hours ago
Ron Trunk
34k23070
answered 2 hours ago
Ron Trunk
34k23070
answered 2 hours ago
Ron Trunk
34k23070
answered 2 hours ago
Ron Trunk
34k23070
34k23070
I have tiredlogging trap info&logging trap warningand they are also flooding lots
– Satish
2 hours ago
You can log at a higher level, but you may not get the information you need. Your ASA is busy, and it generates lots of log messages. You either have to live with incomplete information or get more storage for your logs.
– Ron Trunk
2 hours ago
How aboutlogging buffered debugging? should i move it to informational?
– Satish
28 mins ago
add a comment |
I have tiredlogging trap info&logging trap warningand they are also flooding lots
– Satish
2 hours ago
You can log at a higher level, but you may not get the information you need. Your ASA is busy, and it generates lots of log messages. You either have to live with incomplete information or get more storage for your logs.
– Ron Trunk
2 hours ago
How aboutlogging buffered debugging? should i move it to informational?
– Satish
28 mins ago
I have tired
logging trap info & logging trap warning and they are also flooding lots– Satish
2 hours ago
I have tired
logging trap info & logging trap warning and they are also flooding lots– Satish
2 hours ago
You can log at a higher level, but you may not get the information you need. Your ASA is busy, and it generates lots of log messages. You either have to live with incomplete information or get more storage for your logs.
– Ron Trunk
2 hours ago
You can log at a higher level, but you may not get the information you need. Your ASA is busy, and it generates lots of log messages. You either have to live with incomplete information or get more storage for your logs.
– Ron Trunk
2 hours ago
How about
logging buffered debugging ? should i move it to informational?– Satish
28 mins ago
How about
logging buffered debugging ? should i move it to informational?– Satish
28 mins ago
add a comment |
Trap logging: disabled
That's the first problem. "trap" is the mechanism that sends to syslog hosts. logging trap informational will start messages flowing, but on an active firewall, there will a lot of messages. You can cut down the spew by increasing the logging level (info, warn, error, crit, etc.), or better, turn off the messages you don't want to see:
no logging message 715036 (disables: %PIX-7-715036 messages)
- or -logging message 715036 level 5 (moves id 715036 to 5 (notif)) (yes, at 7 (debug), it wouldn't be logged at 6 (info) anyway, but you get the idea.)
answered 26 mins ago
Ricky Beam
21.2k22861
add a comment |
Trap logging: disabled
That's the first problem. "trap" is the mechanism that sends to syslog hosts. logging trap informational will start messages flowing, but on an active firewall, there will a lot of messages. You can cut down the spew by increasing the logging level (info, warn, error, crit, etc.), or better, turn off the messages you don't want to see:
no logging message 715036 (disables: %PIX-7-715036 messages)
- or -logging message 715036 level 5 (moves id 715036 to 5 (notif)) (yes, at 7 (debug), it wouldn't be logged at 6 (info) anyway, but you get the idea.)
answered 26 mins ago
Ricky Beam
21.2k22861
add a comment |
Trap logging: disabled
That's the first problem. "trap" is the mechanism that sends to syslog hosts. logging trap informational will start messages flowing, but on an active firewall, there will a lot of messages. You can cut down the spew by increasing the logging level (info, warn, error, crit, etc.), or better, turn off the messages you don't want to see:
no logging message 715036 (disables: %PIX-7-715036 messages)
- or -logging message 715036 level 5 (moves id 715036 to 5 (notif)) (yes, at 7 (debug), it wouldn't be logged at 6 (info) anyway, but you get the idea.)
answered 26 mins ago
Ricky Beam
21.2k22861
Trap logging: disabled
That's the first problem. "trap" is the mechanism that sends to syslog hosts. logging trap informational will start messages flowing, but on an active firewall, there will a lot of messages. You can cut down the spew by increasing the logging level (info, warn, error, crit, etc.), or better, turn off the messages you don't want to see:
no logging message 715036 (disables: %PIX-7-715036 messages)
- or -logging message 715036 level 5 (moves id 715036 to 5 (notif)) (yes, at 7 (debug), it wouldn't be logged at 6 (info) anyway, but you get the idea.)
answered 26 mins ago
Ricky Beam
21.2k22861
answered 26 mins ago
Ricky Beam
21.2k22861
answered 26 mins ago
Ricky Beam
21.2k22861
answered 26 mins ago
Ricky Beam
21.2k22861
21.2k22861
add a comment |
add a comment |
My suggestion would be to try to partition the problem between:
- ASA not sending
- Packets not getting there
- Graylog not listening
My usual method is to aim the device's syslog at some laptop, without running any kind of logging software, just tcpdump on the appropriate ports. That will tell you if the devices is sending. Then send some syslog manually to the target loghost, see if they arrive. That should partition the problem and you'll know where the problem lies.
answered 2 hours ago
jonathanjo
10.4k1632
Graylog working fine, i have many host sending logs so its functional also if i run this command on ASA i am seeing 100,000/s logs per second on graylog coming from ASAlogging trap debuggingmay be my question title is wrong let me change it.. I want to understand is it safe to send 100k logs to syslog and if you see myshow loggingoutput you will notice its generating lots of logs so does it OK for ASA to generate that many logs for every single packet or connection?
– Satish
2 hours ago
add a comment |
My suggestion would be to try to partition the problem between:
- ASA not sending
- Packets not getting there
- Graylog not listening
My usual method is to aim the device's syslog at some laptop, without running any kind of logging software, just tcpdump on the appropriate ports. That will tell you if the devices is sending. Then send some syslog manually to the target loghost, see if they arrive. That should partition the problem and you'll know where the problem lies.
answered 2 hours ago
jonathanjo
10.4k1632
Graylog working fine, i have many host sending logs so its functional also if i run this command on ASA i am seeing 100,000/s logs per second on graylog coming from ASAlogging trap debuggingmay be my question title is wrong let me change it.. I want to understand is it safe to send 100k logs to syslog and if you see myshow loggingoutput you will notice its generating lots of logs so does it OK for ASA to generate that many logs for every single packet or connection?
– Satish
2 hours ago
add a comment |
My suggestion would be to try to partition the problem between:
- ASA not sending
- Packets not getting there
- Graylog not listening
My usual method is to aim the device's syslog at some laptop, without running any kind of logging software, just tcpdump on the appropriate ports. That will tell you if the devices is sending. Then send some syslog manually to the target loghost, see if they arrive. That should partition the problem and you'll know where the problem lies.
answered 2 hours ago
jonathanjo
10.4k1632
My suggestion would be to try to partition the problem between:
- ASA not sending
- Packets not getting there
- Graylog not listening
My usual method is to aim the device's syslog at some laptop, without running any kind of logging software, just tcpdump on the appropriate ports. That will tell you if the devices is sending. Then send some syslog manually to the target loghost, see if they arrive. That should partition the problem and you'll know where the problem lies.
answered 2 hours ago
jonathanjo
10.4k1632
answered 2 hours ago
jonathanjo
10.4k1632
answered 2 hours ago
jonathanjo
10.4k1632
answered 2 hours ago
jonathanjo
10.4k1632
10.4k1632
Graylog working fine, i have many host sending logs so its functional also if i run this command on ASA i am seeing 100,000/s logs per second on graylog coming from ASAlogging trap debuggingmay be my question title is wrong let me change it.. I want to understand is it safe to send 100k logs to syslog and if you see myshow loggingoutput you will notice its generating lots of logs so does it OK for ASA to generate that many logs for every single packet or connection?
– Satish
2 hours ago
add a comment |
Graylog working fine, i have many host sending logs so its functional also if i run this command on ASA i am seeing 100,000/s logs per second on graylog coming from ASAlogging trap debuggingmay be my question title is wrong let me change it.. I want to understand is it safe to send 100k logs to syslog and if you see myshow loggingoutput you will notice its generating lots of logs so does it OK for ASA to generate that many logs for every single packet or connection?
– Satish
2 hours ago
Graylog working fine, i have many host sending logs so its functional also if i run this command on ASA i am seeing 100,000/s logs per second on graylog coming from ASA
logging trap debugging may be my question title is wrong let me change it.. I want to understand is it safe to send 100k logs to syslog and if you see my show logging output you will notice its generating lots of logs so does it OK for ASA to generate that many logs for every single packet or connection?– Satish
2 hours ago
Graylog working fine, i have many host sending logs so its functional also if i run this command on ASA i am seeing 100,000/s logs per second on graylog coming from ASA
logging trap debugging may be my question title is wrong let me change it.. I want to understand is it safe to send 100k logs to syslog and if you see my show logging output you will notice its generating lots of logs so does it OK for ASA to generate that many logs for every single packet or connection?– Satish
2 hours ago
add a comment |
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55590%2fcisco-asa-logging-to-remote-syslog-question%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
