Best Log Setting for ASA & MARS

cyber-burn · ‎06-28-2008

Hi,

I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?

Thanks

Farrukh Haroon · ‎06-29-2008

Which syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.

The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.

Regards

Farrukh

Farrukh Haroon · ‎06-29-2008

Have a look at this:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/user/guide/local_controller/cfgfwall.html#wp1287218

Regards

Farrukh

rajett · ‎07-03-2008

If it's a busy firewall then you might need to adjust the logging to informational.

Also, there's an ASA and MARS tuning doc available through your account team which outlines some of the duplicate messages which can be turned off at the firewall to lessen the load on both the firewall and the MARS appliance.