Cisco Support Community

TCP Syslog configuration on the ASA device




    This document describes the TCP Syslog configuration on the ASA device.

    Detailed information

    As per RFC 6587 , ASA uses a TCP connection to send Syslog messages  on the Syslog Server. Like most other protocols, the syslog transport  sender is the TCP host that initiates the TCP session. After initiation,  messages are sent from the transport sender to the transport receiver.  No application-level data is transmitted from the transport receiver to  the transport sender.

    The roles of transport sender and receiver seem to be fixed once the  session is established. When it has been observed, if an error occurs  that cannot be corrected by TCP, the host detecting the error gracefully  closes the TCP session. There have been no application-level messages  seen that were sent to notify the other host about the state of the host  syslog application.


    Configuration on ASA

    1) logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem] [permit-hostdown]

    The tcp[/port] or udp[/port] argument specifies that the ASA should use TCP or UDP to send syslog messages to the syslog server.

    The permit-hostdown keyword allows TCP logging to continue when the syslog server is down.  You can configure the ASA to send data to a syslog server using either  UDP or TCP, but not both. The default TCP port is 1470.

    2) logging trap {severity_level | message_list}

    Specifies which syslog messages should be sent to the syslog server. You can specify the severity level number (0 through 7) or name.

    3) (Optional)

    logging facility number

    Sets the logging facility to a value other than the default of 20, which is what most UNIX systems expect.

    4) logging queue queue_size (Optional)

    The number of syslog messages permitted in the  queue used for storing syslog messages before processing them. Valid  values are from 0 to 8192 messages, depending on the platform type. If  the logging queue is set to zero, the queue will be the maximum  configurable size (8192 messages), depending on the platform.

    On the ASA-5505, the maximum queue size is 1024.

    On the ASA-5510, it is 2048, and on all other platforms, it is 8192 .

    Syslog messages are queued up on the ASA till  the configured as I suggested in my previous email. According to the  following excerpt from the Section 4 of the above RFC "TCP  decides when enough data has been received from the application to form a  segment for transmission.  This may be adjusted through timers and  certain other features".

    To summarize the connections from the  ASA to the syslog server are short lived because ASA creates TCP  connection to the syslog server only when it has enough data to be sent  to the syslog server and once it is sent it will close the connection.  Also at the time the connection is closing there will be some messages  which will be missed and so we see a syslog message loss for  approximately 1 minute.

    5) logging permit-hostdown

    To make the status of a TCP-based syslog server irrelevant to new user sessions, use the logging permit-hostdown command in global configuration mode.

    By default, if you have  enabled logging to a syslog server that uses a TCP connection, the ASA  does not allow new network access sessions when the syslog server is  unavailable for any reason.


    Hope this Helps!!

    Community Member

    When you say 'the ASA  does not allow new network access sessions' the ASA, what sessions are you talking about? Or am i missing something?

    Cisco Employee

    Hello Tanveer,

    The ASA blocks new connections until the TCP syslog server becomes available again. For example, VPN, firewall, and cut-through-proxy connections.

    Community Member


    Community Member


    and if I use UDP connection, does it still block new connections?


    Community Member

    The udp 514 for syslog is connectionless so it wont know if the dest is there or not.