Best Log Setting for ASA & MARS

Unanswered Question
Jun 28th, 2008
User Badges:

Hi,


I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Sun, 06/29/2008 - 00:56
User Badges:
  • Red, 2250 points or more

Which syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.


The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.


Regards


Farrukh

rajett Thu, 07/03/2008 - 20:52
User Badges:
  • Cisco Employee,

If it's a busy firewall then you might need to adjust the logging to informational.


Also, there's an ASA and MARS tuning doc available through your account team which outlines some of the duplicate messages which can be turned off at the firewall to lessen the load on both the firewall and the MARS appliance.



Actions

This Discussion