Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
5
Replies

Is syslog actually leaving my firewall?

Go to solution
abatson
Level 1
Level 1

‎09-10-2013 12:21 PM - edited ‎03-11-2019 07:36 PM

I'm freshly in charge of a Cisco ASA5510 firewall, and need to get its  syslog sent to someplace where I can see it.   Here's the pertinent part  of the config:

logging enable

logging timestamp

logging monitor debugging

logging history notifications

logging asdm informational

logging facility 16

logging device-id hostname

logging host outside 10.10.10.10

logging host outside 20.20.20.20

I don't have access to the 10.10.10.10 host, so I don't know if it's receiving anything.  My syslog server is the 20.20.20.20 host.   TCPdump on this server shows no traffic at  all coming from this ASA firewall.  My next step, is to determine if the  firewall is actually originating any syslog traffic at all.   I don't  have any ability to mirror any switch ports on the Outside Interface, so  I need to use some method internal to the ASA itself to troubleshoot.    Who's done this before, and/or what docs can you point me at, that  could help??    ICMP shows up on tcpDump, so this means I can route to the syslog server OK, but I don't see any UDP/514 traffic at all.   These IPs are valid & reachable by the firewall, but have obviously been mangled to protect privacy....

Is there something special I have to do (or is it an illegal configuration) to send syslog out an interface where the Security-Level is 0?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-10-2013 12:27 PM

Hi,

You dont seem to have the following configuration enabled

logging trap

Like for example

logging trap informational

or

logging trap notifications

It should set the level of log messages sent to the Syslog server. Without it I dont think any logs are sent to either of the defined servers.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-10-2013 12:27 PM

Hi,

You dont seem to have the following configuration enabled

logging trap

Like for example

logging trap informational

or

logging trap notifications

It should set the level of log messages sent to the Syslog server. Without it I dont think any logs are sent to either of the defined servers.

- Jouni

0 Helpful

Go to solution
abatson
Level 1
Level 1
In response to Jouni Forss

‎09-10-2013 12:32 PM

Interesting -- I saw those commands in the docs I read, but I ignored them, because I thought they would cause the logging to be sent out of the firewall as SNMP traps (which I didn't want)  I'll try these commands suggested & post my experience...

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to abatson

‎09-10-2013 12:35 PM

Hi,

Here is the section of ASA Command Reference describing the use of the above command

http://www.cisco.com/en/US/docs/security/asa/command-reference/l2.html#wp1797179

- Jouni

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-10-2013 12:28 PM

Hello,

You are missing the trap command

logging trap 7

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com


Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
abatson
Level 1
Level 1

‎09-10-2013 12:50 PM

Excellent -- TCPdump showed UDP/514 streaming in once I entered:

logging trap informational

I also verified that my syslog server is writing it to disk, so everything is happy & healthy now.  Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card