Enabling syslogs in Cisco ASA

I was recently troubling shooting an issue for a client and found that all the syslog messages generated by the ASA were not reaching the syslog server. I could see the syslog generated on the ASA using the “show logg” command however these messages never reached the remote syslog server.

After some reading I found that there were two changes I could make to help this situation:

  1. Turn off log messages to the console port. If this is enabled the ASA syslog subsystem slows down and buffers messages so that it does not overload the 9600 baud console serial port.
  2. If the log queue is full then the rest of the messages are tail dropped

Firstly check if you are tail dropping log messages:

asa-fw-01# show log queue
        Logging Queue length limit : 512 msg(s)
        483 msg(s) discarded due to queue overflow
        0 msg(s) discarded due to memory allocation failure
        Current 0 msg on queue, 512 msgs most on queue

You can see that 483 messages were discarded. The queue length can be increased as follows:

asa-fw-01(config)# logging queue ?
configure mode commands/options:
  <0-8192>  The length of log queue, 512 is default 0 means maximum permitted
            queue size. Max queue size on ASA-5505 is 1024, on ASA-5510 is 2048
            and 8192 on all other platforms

 

Next you can turn off console logging using the “no logging console” command. However this raised a question: What should be the minimal set of commands to provide comprehensive logging? After a bit of research I decided to add the following commands to all our ASAs.

 

!enable logging
logging enable
! add the system time to generated message
logging timestamp
!Optional (allow the standby to send syslogs too)
logging standby
!Turn of sending syslog messages to console port 
no logging console
!make the buffer as large as possible (this buffers stores all the output which is displayed when you run the "show log" command)
logging buffer-size 65536
!Allow log messages to be sent to ssh/telnet sessions. By setting it to debugging I'm allow all messages to be send to ssh session. You could drop it to "informational" if you wanted
logging monitor debugging
!Allow messages up the informational level to be stored in the asa memory buffer. Discard the debugging messages
logging buffered informational
!Allow "all" messages to be send to the syslog server. This is good in-case you want to capture the debug messages for later use
logging trap debugging
!Turn of sending syslog messages to snmp servers. Why would you want to do this? 
no logging history informational
!Allow messages up the informational level to be sent to the ASDM gui
logging asdm informational
!Increase the log queue. Set this as per your ASA hardware type
logging queue 2048
! add the system hostname to generated message
logging device-id hostname
!Tell the ASA about your syslog server
logging host inside 10.202.200.78
!Allow User Authenticaion messages to be send to syslog
logging class auth trap debugging
!Allow interactions with the config prompt to be sysloged
logging class config trap debugging
!Optional: Log IKE and IPSEC messages
logging class vpn trap debugging
!Optional: Log WebVPN client messages
logging class webvpn trap debugging
!Optional: log SSL VPN Client
logging class svc trap debugging

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s