01-30-2014 09:19 PM - edited 03-11-2019 08:38 PM
i have two of these, one is installed in my home and the other is installed at work. i haveset up a syslog server to capture and store the messages from the 5505. in the asa logging setup i have the severity levels set to filter out the debug and informational level messages. for some reason, the notification level messages, which display all the browsing activity of the network clients - have stopped displaying in the asdm console, these have been displaying religiously for several months now. due to this, the syslog server which i am using to store the logs does not have the information either. i'm not sure why they have stopped. the asdm version is 7.1(3) and the asa version is 9.1(2) on both asa devices.
Solved! Go to Solution.
02-04-2014 12:59 AM
syslog ID 710001 and 710002 are part of the 3 way handshake so you might want to start by checking that these are set to the right level.
http://www.cisco.com/en/US/docs/security/asa/syslog-guide/asa-syslog.pdf
But from your running config it doesn't look like any of the logging message IDs have been altered from their default settings.
If you change the logging level to informational, do you see the expected logs then?
Perhaps if you tried removing the logging configuration and then re-adding it again.
--
Please remember to rate and select a correct answer
02-03-2014 12:25 AM
Has logging been turned off by accident perhaps? check using the CLI...not the ASDM.
--
Please remember to rate and select a correct answer
02-03-2014 07:26 AM
that was the first thing i checked. i have logging enabled and the severity level set to Notifications. if i set the trap level to debug or informational, i get the typical flood of messages but no notification messages. this is what i have set for logging:
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap notifications
logging asdm notifications
logging facility 16
logging queue 1024
logging host inside 192.168.2.100
logging permit-hostdown
02-03-2014 08:06 AM
Hi,
I guess on Notifications level you would essentially only see Deny messages of traffic blocked by interface ACL.
Informational messages by default contain connection/translation build/teardown messages.
Have you perhaps configured separate logging setting on the actual ACL rules that might have been modified so that they stopped logging?
- Jouni
02-03-2014 08:21 AM
i have checked a few times for an errant setting but i must be blind in one eye and can't see out of the other as nothing stands out as being wrong. not sure what to look for.
02-03-2014 12:09 PM
Would you be able to post a full sanitised running config for us to look over?
--
Please remember to rate and select a correct answer
02-03-2014 01:50 PM
i will put a sanitized copy of the running config up but it will take me about 5 more hours before i am able to do so... thanks for taking the time to look at this...
02-03-2014 09:45 PM
hi Marius,
before posting the running configuration... in the configuration -> device management -> syslog setup there are hundreds of syslog id's with their various logging levels set. the problem we've been dealing with is the level 5 messages - Notifications. browsing through this level via a doc from the cisco website it appears there are many messages set to level 4 and higher for the logging level. i do not know the actual syslog id's that are used to log web browsing activity but do you suppose this could be a cause for my dilemma? if so, which of the id's are used for trapping the logs for web browsing?
here is the "sanitized" version of my running configuration
02-04-2014 12:59 AM
syslog ID 710001 and 710002 are part of the 3 way handshake so you might want to start by checking that these are set to the right level.
http://www.cisco.com/en/US/docs/security/asa/syslog-guide/asa-syslog.pdf
But from your running config it doesn't look like any of the logging message IDs have been altered from their default settings.
If you change the logging level to informational, do you see the expected logs then?
Perhaps if you tried removing the logging configuration and then re-adding it again.
--
Please remember to rate and select a correct answer
02-04-2014 01:14 PM
hi marius... i discovered the issue last night... For some reason, the http service policy and the http inspection map disappeared. i recreated them and all is good… the only issue now since it's working is i can't remember how i had it setup to display on the asdm console the source ip, source port, destination ip and destination port. anyway, i'll post that into a new request after i take a little time to read up... thanks for the help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: