cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
469
Views
0
Helpful
3
Replies

Getting syslog from cisco 5585 how to segerate from traffic logs?

asad ali
Level 1
Level 1

Support ,

I need some help, I want syslog from cisco asa 5585 to come to siem , but the networking guy says he can configure cisco asa 5585 to send both traffic and syslog together; there is no segerration; I don't want this to happen im just interested in getting the syslog events. In almost every firewall e.g juniper to send only traffic logs.

If its true what the networking guy says, its a very poor desgin where there is high coupling between processes;if they are dependent and one is needed to get the other what about if one thing fails?

I'm the sec guy; and I don't have the config guide about how cisco asa works at that level; i will appreciate if someone can verify or better suggest me a workaround if there exists to this issue.

Thanks.

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I am not sure I understand the question completely.

You should be able to configure the ASA to send logs to where you want. We for example have a separate interface through which the Syslog are sent to our server. The interface is not really used for anything else than that.

- Jouni

JouniForss

Thank you for your reply. Sorry for the confusion. It means that when the syslog is send traffic is send along with? I don't know it doesn't make sense to me but thats what the networking guy narrated to me.

Are you using cisco 5585 in case you are; you are just getting syslog out of dedicated interface? Thats it?

Hi,

So you have been told that some other traffic would be also sent through the interface? That should not be the case. I dont know why the ASA would need to send any traffic to your server other than UDP/514 port traffic. If I remember correctly that is the UDP ports used.

If I would have to guess there might be a little missunderstanding between you. They might mean that they are already sending logs to some Syslos Server and the log level has been set so that the logs include all logs of connection forming through the ASA and therefore would send you very specific logs about the ASA.

The logging level set for logs that are sent to Syslog server applies to every target Syslog server. I dont think you can even specify different logging levels to different servers. But I might be mistaken.

But I am not sure what the situation is. Sounds a bit wierd.

We use a dedicated interface on ASAs to send logs to Syslog server. We might also use link for some remote management connections and monitoring.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: