Who is the product manager for ASA5540's ~~File TRUNCATION ~~ !!!

Unanswered Question
Dec 9th, 2008

I have an ASA5540 running

Cisco Adaptive Security Appliance Software Version 7.2(4)9

Device Manager Version 5.2(4)

The problem is simple. There is an option to have the logs created by the ASA FTP'd to a standalone server. You must specify the file size when you enable this option.

The ASA device will truncate an entry to make certain the file is exactly the size specified.

This is a fundamental problem. what happens if i have to use these records in a court of law and I have to say "well it could have been truncated"

PLEASE Fix this.. It is embarrassing to CISCO !!

I opened a case...and I was told it could be a year or more before it was looked at because a lot of people don't use FTP.

My local sales force and level one tech support are useless !!!

Please Product manager.... do the right thing by your customers.

We were forced to upgrade to these devices since Cisco no longer supported the old altigas' 3000x series which did not have this problem.

Case # SR 610000357

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
network.monger Tue, 12/09/2008 - 09:31

The security team that uses these reports does not consider a UDP based delivery system to be adequately reliable enough.

In a similar vein.. .I tried using TCP based syslog and the box is having problem with re-establishing connectivity if it is lost.

(This is another issues)

All in all... FTP was deemed as being the method of data retention.

And since it is a option... it should work

As the product stands currently... If the file size reaches "x" it truncated whatever the first line in the file was to accommodate the file size restriction.

so if this were a user logging in... we have the potential to have that record lost

Collin Clark Tue, 12/09/2008 - 09:34

I'm just curious, when does the firewall FTP the logs to the server? Is it configurable? Is the FTP connection always open?

network.monger Tue, 12/09/2008 - 09:37

The FTP time is based solely (unfortunately) upon when the file reached the predetermined size.

So a heavy traffic day may cause several files to be transmitted over a days period.

It would be much nicer if you were able to specify a time.

Even if that's not an option.. the file should not be truncating an entry :)

Collin Clark Tue, 12/09/2008 - 09:45

Yeah, that would stink. I bet Cisco's stand on this would be to use syslog. I manage 20+ firewalls and our security policy requires logging to be set at debug. We generate gigs of logs a day and AFAIK we have never lost a single log entry. IMO syslog is much faster and more reliable than using FTP. Granted it is connectionless but that doesn't mean it's any less reliable than TCP. Check out http://www.rsyslog.com. It's a high performance syslog server.

network.monger Tue, 12/09/2008 - 09:48

I know I know.... but these are the cards I am dealt ;p

I use syslog-ng and it has no problem keeping up with the workload.

(It also gets fed to Splunk)

So I came across the name Srinivas Mallu

Is he the product manager?

So far you are the only person that's shown any interest

Collin Clark Tue, 12/09/2008 - 09:52

I have no idea who the product manager is, Cisco is too big to find that info :-) Have you tried contacting your local Cisco Systems Engineer/Account Rep? They can escalate any info requests. I would keep pushing that this is a bug, it might get more attention that way.

Jon Marshall Tue, 12/09/2008 - 10:23

"So I came across the name Srinivas Mallu"

No he is one of the customer support engineers who specializes in ASA, did a recent Ask the Experts -

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&topicID=.ee6e1f8&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25bb1

I agree with Collin, raise this with your local Cisco account Rep/SE if you have one.

Jon

network.monger Tue, 12/09/2008 - 10:59

My local SE said that most likely it would be over a year before this could be addressed of fixed..even though it is a bug....because there are not a lot of people that use the FTP option.

That is the answer i received. I don't believe my local SE has any interest in pursuing this because it does not bring in any new revenue.

The SE was the first place i went to

-Guy

Actions

This Discussion