I have an ASA5540 running
Cisco Adaptive Security Appliance Software Version 7.2(4)9
Device Manager Version 5.2(4)
The problem is simple. There is an option to have the logs created by the ASA FTP'd to a standalone server. You must specify the file size when you enable this option.
The ASA device will truncate an entry to make certain the file is exactly the size specified.
This is a fundamental problem. what happens if i have to use these records in a court of law and I have to say "well it could have been truncated"
PLEASE Fix this.. It is embarrassing to CISCO !!
I opened a case...and I was told it could be a year or more before it was looked at because a lot of people don't use FTP.
My local sales force and level one tech support are useless !!!
Please Product manager.... do the right thing by your customers.
We were forced to upgrade to these devices since Cisco no longer supported the old altigas' 3000x series which did not have this problem.
Case # SR 610000357
The security team that uses these reports does not consider a UDP based delivery system to be adequately reliable enough.
In a similar vein.. .I tried using TCP based syslog and the box is having problem with re-establishing connectivity if it is lost.
(This is another issues)
All in all... FTP was deemed as being the method of data retention.
And since it is a option... it should work
As the product stands currently... If the file size reaches "x" it truncated whatever the first line in the file was to accommodate the file size restriction.
so if this were a user logging in... we have the potential to have that record lost
I'm just curious, when does the firewall FTP the logs to the server? Is it configurable? Is the FTP connection always open?
The FTP time is based solely (unfortunately) upon when the file reached the predetermined size.
So a heavy traffic day may cause several files to be transmitted over a days period.
It would be much nicer if you were able to specify a time.
Even if that's not an option.. the file should not be truncating an entry :)
Yeah, that would stink. I bet Cisco's stand on this would be to use syslog. I manage 20+ firewalls and our security policy requires logging to be set at debug. We generate gigs of logs a day and AFAIK we have never lost a single log entry. IMO syslog is much faster and more reliable than using FTP. Granted it is connectionless but that doesn't mean it's any less reliable than TCP. Check out http://www.rsyslog.com. It's a high performance syslog server.
I know I know.... but these are the cards I am dealt ;p
I use syslog-ng and it has no problem keeping up with the workload.
(It also gets fed to Splunk)
So I came across the name Srinivas Mallu
Is he the product manager?
So far you are the only person that's shown any interest
I have no idea who the product manager is, Cisco is too big to find that info :-) Have you tried contacting your local Cisco Systems Engineer/Account Rep? They can escalate any info requests. I would keep pushing that this is a bug, it might get more attention that way.
"So I came across the name Srinivas Mallu"
No he is one of the customer support engineers who specializes in ASA, did a recent Ask the Experts -
I agree with Collin, raise this with your local Cisco account Rep/SE if you have one.
My local SE said that most likely it would be over a year before this could be addressed of fixed..even though it is a bug....because there are not a lot of people that use the FTP option.
That is the answer i received. I don't believe my local SE has any interest in pursuing this because it does not bring in any new revenue.
The SE was the first place i went to