Robin_Ottawa
asked on
Duplicate Syslog messages - ASAs in Active/Standby config
Hello,
I have two Cisco ASA 5520s in Active/Standby configuration. I have a syslog server and the following config on the ASAs :
now.. on my syslog server, I get duplicate entries for most items. one showing the host IP as the Active firewall, and one showing the host IP as the Standby firewall. Is there a way to get only one of these? Right now we're getting about 600MB of logs daily, and cutting it into half would be great.. I've looked through Cisco's documentation and am at a loss.
as info, I am using Splunk with the Cisco Security Suite add-on installed as my syslog server
I have two Cisco ASA 5520s in Active/Standby configuration. I have a syslog server and the following config on the ASAs :
logging enable
logging timestamp
logging standby
logging console emergencies
logging monitor alerts
logging buffered debugging
logging trap informational
logging history notifications
logging asdm informational
logging facility 22
logging host <dest vlan> <Dest ip address>
now.. on my syslog server, I get duplicate entries for most items. one showing the host IP as the Active firewall, and one showing the host IP as the Standby firewall. Is there a way to get only one of these? Right now we're getting about 600MB of logs daily, and cutting it into half would be great.. I've looked through Cisco's documentation and am at a loss.
as info, I am using Splunk with the Cisco Security Suite add-on installed as my syslog server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sorry, did a typo, I mean "logging from the standby device" but the same command still applies
ASKER
The config is replicated to the standby device automatically. How do I remove it?
ASKER
Nevermind, got it.. Question though. If the switch fails over, the Standby becomes active. Will syslog messages then come from the 'old' standby? or will they just stop?
no logging standby
wr standby
wr standby
the new active will send the syslogs with the active ip (so you will no see that it is the former standby unit that is sending the syslogs)