I was recently troubling shooting an issue for a client and found that all the syslog messages generated by the ASA were not reaching the syslog server. I could see the syslog generated on the ASA using the “show logg” command however these messages never reached the remote syslog server.
After some reading I found that there were two changes I could make to help this situation:
- Turn off log messages to the console port. If this is enabled the ASA syslog subsystem slows down and buffers messages so that it does not overload the 9600 baud console serial port.
- If the log queue is full then the rest of the messages are tail dropped
Firstly check if you are tail dropping log messages:
asa-fw-01# show log queue Logging Queue length limit : 512 msg(s) 483 msg(s) discarded due to queue overflow 0 msg(s) discarded due to memory allocation failure Current 0 msg on queue, 512 msgs most on queue
You can see that 483 messages were discarded. The queue length can be increased as follows:
asa-fw-01(config)# logging queue ? configure mode commands/options: <0-8192> The length of log queue, 512 is default 0 means maximum permitted queue size. Max queue size on ASA-5505 is 1024, on ASA-5510 is 2048 and 8192 on all other platforms
Next you can turn off console logging using the “no logging console” command. However this raised a question: What should be the minimal set of commands to provide comprehensive logging? After a bit of research I decided to add the following commands to all our ASAs.
!enable logging logging enable ! add the system time to generated message logging timestamp !Optional (allow the standby to send syslogs too) logging standby !Turn of sending syslog messages to console port no logging console !make the buffer as large as possible (this buffers stores all the output which is displayed when you run the "show log" command) logging buffer-size 65536 !Allow log messages to be sent to ssh/telnet sessions. By setting it to debugging I'm allow all messages to be send to ssh session. You could drop it to "informational" if you wanted logging monitor debugging !Allow messages up the informational level to be stored in the asa memory buffer. Discard the debugging messages logging buffered informational !Allow "all" messages to be send to the syslog server. This is good in-case you want to capture the debug messages for later use logging trap debugging !Turn of sending syslog messages to snmp servers. Why would you want to do this? no logging history informational !Allow messages up the informational level to be sent to the ASDM gui logging asdm informational !Increase the log queue. Set this as per your ASA hardware type logging queue 2048 ! add the system hostname to generated message logging device-id hostname !Tell the ASA about your syslog server logging host inside 10.202.200.78 !Allow User Authenticaion messages to be send to syslog logging class auth trap debugging !Allow interactions with the config prompt to be sysloged logging class config trap debugging !Optional: Log IKE and IPSEC messages logging class vpn trap debugging !Optional: Log WebVPN client messages logging class webvpn trap debugging !Optional: log SSL VPN Client logging class svc trap debugging