Cisco Firewall :: ASA 5500 Syslog Not Getting Captured In Centralised Syslog Server
Jan 15, 2012
Recently i have upgraded the IOS of ASA5550 (in HA mode) to 8.4.2 from 8.0.5, after OS upgrade we found that the syslog from thses firewalls are not getting captured/transfered to centralised syslog server. The server is reachable from the firewalls.
We use multiple ASA 5500/5580 cluster systems running 8.3 software versions.Actually we send all our FW syslog data to a SIEM appliance in a DMZ on a remote firewall (non-asa). Recently we suffered a strange incident while implementing a new SIEM collection station now situated in a dmz that is located on one of the ASA contexts. We redirected the syslog streams to the new client for one of the contexts on the ASA cluster that holds the new SIEM agent DMZ..since we did this and redirected the syslog we see double traffic and spoofing errors on that context
a/ the ASA keeps sending out the syslog traffic to the OLD SIEM agent server ip (there is however no trace of its ip in the config)
b/ the traffic leaving the interconnection interface towards the OLD SIEM agent gets a SPOOFING error on the traffic
c/ strangely the data gets also correctly forwarded to the new SIEM collection stations.
We started out with redirecting traffic on only one of the 5 contexts to the new environment and kept logging the others to the old system.I finally got out of the issue by reconfiguring al the other contexts to forward their syslog towards the same new server , since that moment we no longer have the double logging and spoofing error , all syslog traffic goes correctly to the new SIEM agent. It looked like some remenants of the old syslog config remainded on the asa event after deleting and introducing a new config line (we used the asdm to execute the action) as said either it kept the old config or it looked in the other context and "decided" to keep sending to the old server also mentioned in that syslog can find the behaviour in any buglists either way.
Add the ability to send syslog events to multiple syslog servers in the SA500 Series routers. I know the functionality is currently in the RV220W because we utilized it. It would be great if you could configure the syslog servers by event type as well. For example, being able to send the kernel events to syslog server A, and all other events to syslog server B.
I need to setup a syslog server for PIX w/ 6.2 and was hoping to get detailed instruction how to go about it. I would like exact syntax w/ an example on the pix and any configuration on the computer that will be receiving the log info. I have downloaded tftpd32 onto computer
It is a Customer requirement to send 802.11 client association/disassociation logs to the Syslog server in a Unified Wireless system. (AIR-CT5508 + LAP1142) [code] Unfortunately I didn't find such logs even in Msg Log with the severity level set to debugging.I was able to do client assoc/disassoc logging with SNMP trap + trap receiver software, BUT is there any way to do this with Syslog?
I'm building the use case to test / detect for rogue devices on the network. I have in my enviroment Lan controller 5500 controller with AP (aironet 3500). I want to detect for rogue devices/ap connected to my network. I know before i can see this activity on the network i have to configure the controller / ap to detect this behavior. I'm doing this step.
Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the URL
Using Rogue detection. feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it.URL
NOTE: from the forum I have seen other talks about the same issue and saying that if I have any APs in "Rogue Detection" mode sitting on the trunk port on the switch then only, this AP will detect the Rogue on Wired
I don't think i completely understand this statement, by sitting does it mean that it is passively sniffing coming in/out on trunk link?
Considering the above steps are accurate, after this will i be able to see rogue detection behavior in syslogs? What exactly would be the messages that would produce this behavior.
I'm building the use case to test / detect for rogue devices on the network. I have in my enviroment Lan controller 5500 controller with AP (aironet 3500). I want to detect for rogue devices/ap connected to my network. I know before i can see this activity on the network i have to configure the controller / ap to detect this behavior.
Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC. url...
Using Rogue detection. feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it. url...the forum I have seen other talks about the same issue and saying that if I have any APs in "Rogue Detection" mode sitting on the trunk port on the switch then only, this AP will detect the Rogue on Wired.
I have recently setup Splunk to receive my syslog messages from my ASA 5510. In the past I used kiwi without observing this issue, but I needed more features than kiwi had available. Anyway, anytime I stop the splunk service my asa does not allow any outbound connections to be established.
I have a WAP4410N access Point, firmware 22.214.171.124. I have configured a Kiwi syslog server to get the log from the WAP4410N, but the log information obtained is just the "standard event log" and not the detailed log (every connection source and destination IP address,IP server,and number of bytes transferred) , according to the manual of the access point.what I have to do? firmware update? another syslog server?
i'm about to configure a syslog server to receive syslog messages from a Cisco ASA5510 and being it a one week test I was wondering how much space should I allocate on the machine hosting the tool (kiwi syslog). I see that the ASA fills the internal syslog buffer to 4MB and then it overrides it. How many messages would those 4MB be?
I am sending TACACS administration logging to a syslog server. When the messages show up on the syslog server, they are 5 hours ahead of the actual time. Time on the ACS is correct - local logging shows the correct time. Time on the syslog server is correct...all other devices/systems sending syslog messages to it are coming through with the correct time. why the ACS syslog messages would be 5 hours ahead?
I have installed a switch (3560) that was from another site and changed all it's config and hostname etc and it is now live, however the syslog messages still see the old hostname, what could be causing this?
i want to configure asa 5510 to send syslog messages to syslog server which i placed in my inside interface. also if enableing syslog will inrease the cpu utilization or memory? the necessary configuration parts?
I have an asa5510 on 8.2.2. I have my logging configuration as below [code] I am not getting any syslog output to the syslog server. I'm using kiwi syslog server latest version. Have tried disabling/reenabling logging and changing inside host destinations. Is there another command needed
I've a problem with syslog logging on my Cisco ASA 5510 version 8.2(1). I need to:
- 1) log some ACL with warning level to log deny access. - 2) log some ACL with informational level to log permit and deny access (notification level log only deny access and not permit access). - 3) not log others ACL.
For 1), I configured the syslog server with warnings level and i enabled the logging rules with default level (syslog default level) logging enable logging trap warnings logging host "interface" "host" . access-list "interface" extended permit ip any any log default.
For 2), I enabled the logging rules with specific level (informational). access-list "interface" extended permit ip any any log 6 interval 300.
For 3), I disabled the logging rules. access-list "interface" extended permit ip any any log disable
My problem is that the syslog logging level bypass the ACL logging level. Even if some ACL are configured with informational level, the ASA send only warnings logs to the syslog. I tried to configure the syslog default level to warnings, to remove the ACL and then put it back again with the specific logging level but I still have the problem.
I am using Solawinds syslog and trying to get our Cisco routers send syslogs to our syslog server. I followed the procedure on Configuring Cisco Devices to Use a Syslog Server from [URL] Our Cisco swtches are all sending syslog messages but not the routers. I compared the config with our access switches but can't seem to find the problem:
I am facing high cpu util issue 80% in pix 515E with IOS 7.2(4).When a syslog is enable for informational/warnings level traps the util goes to 80% where as other wise it is observed to be 36-37%.When i changed the trap level to alert the util seems to be normal, only the issue is when warning and info traps are configured, prior to the issue the same settings were working absolutely fine ,suddendly the util issue has occured.