Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Getting syslog from cisco 5585 how to segerate from traffic logs?

Support ,

I need some help, I want syslog from cisco asa 5585 to come to siem , but the networking guy says he can configure cisco asa 5585 to send both traffic and syslog together; there is no segerration; I don't want this to happen im just interested in getting the syslog events. In almost every firewall e.g juniper to send only traffic logs.

If its true what the networking guy says, its a very poor desgin where there is high coupling between processes;if they are dependent and one is needed to get the other what about if one thing fails?

I'm the sec guy; and I don't have the config guide about how cisco asa works at that level; i will appreciate if someone can verify or better suggest me a workaround if there exists to this issue.

Thanks.

Everyone's tags (1)
3 REPLIES
Super Bronze

Getting syslog from cisco 5585 how to segerate from traffic logs

Hi,

I am not sure I understand the question completely.

You should be able to configure the ASA to send logs to where you want. We for example have a separate interface through which the Syslog are sent to our server. The interface is not really used for anything else than that.

- Jouni

New Member

Re: Getting syslog from cisco 5585 how to segerate from traffic

JouniForss

Thank you for your reply. Sorry for the confusion. It means that when the syslog is send traffic is send along with? I don't know it doesn't make sense to me but thats what the networking guy narrated to me.

Are you using cisco 5585 in case you are; you are just getting syslog out of dedicated interface? Thats it?

Super Bronze

Getting syslog from cisco 5585 how to segerate from traffic logs

Hi,

So you have been told that some other traffic would be also sent through the interface? That should not be the case. I dont know why the ASA would need to send any traffic to your server other than UDP/514 port traffic. If I remember correctly that is the UDP ports used.

If I would have to guess there might be a little missunderstanding between you. They might mean that they are already sending logs to some Syslos Server and the log level has been set so that the logs include all logs of connection forming through the ASA and therefore would send you very specific logs about the ASA.

The logging level set for logs that are sent to Syslog server applies to every target Syslog server. I dont think you can even specify different logging levels to different servers. But I might be mistaken.

But I am not sure what the situation is. Sounds a bit wierd.

We use a dedicated interface on ASAs to send logs to Syslog server. We might also use link for some remote management connections and monitoring.

- Jouni

200
Views
0
Helpful
3
Replies
CreatePlease login to create content