Solved: Unable to send syslog to Kiwi server

mahesh18 · ‎02-07-2015

Hi Everyone,

Firewall inside IP is 10.0.0.1

Kiwi syslog server is connected to firewall inside interface IP 10.0.0.10

config

ASA1# sh run loggi$
logging enable
logging timestamp
logging buffer-size 50000
logging buffered informational
logging asdm informational
logging host inside 10.0.0.10
logging permit-hostdown

I can ping from both devices to each other.

ASA1# ping inside 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Ran the packet tracer

ASA1# packet-tracer input inside udp 10.0.0.1 514 10.0.0.10 syslog

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) after-auto source static inside inside destination static inside inside
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.0.10/514 to 10.0.0.10/514

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

As they are behind same interface so no ACL is needed right?

Regards

MAhesh

Marvin Rhoads · ‎02-07-2015

Hi Mahesh,

Your configuration looks fine.

Packet tracer won't work for traffic from the firewall - only for traffic THROUGH the firewall. To validate in this case, you are better to do a packet capture to verify any traffic originated by the ASA is leaving and going to the syslog server destination.

Have you checked the Kiwi syslog server and defined your ASA as a source there? Until you do, it won't display any syslog traffic received.

View solution in original post

Marvin Rhoads · ‎02-07-2015

Hi Mahesh,

Your configuration looks fine.

Packet tracer won't work for traffic from the firewall - only for traffic THROUGH the firewall. To validate in this case, you are better to do a packet capture to verify any traffic originated by the ASA is leaving and going to the syslog server destination.

Have you checked the Kiwi syslog server and defined your ASA as a source there? Until you do, it won't display any syslog traffic received.

mahesh18 · ‎02-07-2015

Hi Marvin,

Thanks for explaing me about Packet tracer.

Issue was fixed by adding syslog port info under below command

ASA1(config)# logging host inside 10.0.0.10 ?

configure mode commands/options:
WORD    Enter <protocol/port>, The protocol over which the syslog message is
          sent, could be TCP or UDP. The allowable range for ports is 1025
          through 65535. The default is port 514 for UDP and 1470 for TCP

Earlier when i configured logging host inside 10.0.0.10 i did not specify port info.

Now i config port info and when i do sh sh run logging

ASA1(config)# sh run logging
logging enable
logging timestamp
logging buffer-size 50000
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 10.0.0.10
logging permit-hostdown

still it does not show syslog port which i configured.

Regards

MAhesh