09-10-2013 12:21 PM - edited 03-11-2019 07:36 PM
I'm freshly in charge of a Cisco ASA5510 firewall, and need to get its syslog sent to someplace where I can see it. Here's the pertinent part of the config:
logging enable
logging timestamp
logging monitor debugging
logging history notifications
logging asdm informational
logging facility 16
logging device-id hostname
logging host outside 10.10.10.10
logging host outside 20.20.20.20
I don't have access to the 10.10.10.10 host, so I don't know if it's receiving anything. My syslog server is the 20.20.20.20 host. TCPdump on this server shows no traffic at all coming from this ASA firewall. My next step, is to determine if the firewall is actually originating any syslog traffic at all. I don't have any ability to mirror any switch ports on the Outside Interface, so I need to use some method internal to the ASA itself to troubleshoot. Who's done this before, and/or what docs can you point me at, that could help?? ICMP shows up on tcpDump, so this means I can route to the syslog server OK, but I don't see any UDP/514 traffic at all. These IPs are valid & reachable by the firewall, but have obviously been mangled to protect privacy....
Is there something special I have to do (or is it an illegal configuration) to send syslog out an interface where the Security-Level is 0?
Thanks!
Solved! Go to Solution.
09-10-2013 12:27 PM
Hi,
You dont seem to have the following configuration enabled
logging trap
Like for example
logging trap informational
or
logging trap notifications
It should set the level of log messages sent to the Syslog server. Without it I dont think any logs are sent to either of the defined servers.
- Jouni
09-10-2013 12:27 PM
Hi,
You dont seem to have the following configuration enabled
logging trap
Like for example
logging trap informational
or
logging trap notifications
It should set the level of log messages sent to the Syslog server. Without it I dont think any logs are sent to either of the defined servers.
- Jouni
09-10-2013 12:32 PM
Interesting -- I saw those commands in the docs I read, but I ignored them, because I thought they would cause the logging to be sent out of the firewall as SNMP traps (which I didn't want) I'll try these commands suggested & post my experience...
09-10-2013 12:35 PM
Hi,
Here is the section of ASA Command Reference describing the use of the above command
http://www.cisco.com/en/US/docs/security/asa/command-reference/l2.html#wp1797179
- Jouni
09-10-2013 12:28 PM
Hello,
You are missing the trap command
logging trap 7
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-10-2013 12:50 PM
Excellent -- TCPdump showed UDP/514 streaming in once I entered:
logging trap informational
I also verified that my syslog server is writing it to disk, so everything is happy & healthy now. Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: