asked on

Duplicate Syslog messages - ASAs in Active/Standby config

Hello,

I have two Cisco ASA 5520s in Active/Standby configuration. I have a syslog server and the following config on the ASAs :

logging enable
logging timestamp
logging standby
logging console emergencies
logging monitor alerts
logging buffered debugging
logging trap informational
logging history notifications
logging asdm informational
logging facility 22
logging host <dest vlan> <Dest ip address>

Open in new window

now.. on my syslog server, I get duplicate entries for most items. one showing the host IP as the Active firewall, and one showing the host IP as the Standby firewall. Is there a way to get only one of these? Right now we're getting about 600MB of logs daily, and cutting it into half would be great.. I've looked through Cisco's documentation and am at a loss.

as info, I am using Splunk with the Cisco Security Suite add-on installed as my syslog server

ASKER CERTIFIED SOLUTION

Ironmannen

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Ironmannen

sorry, did a typo, I mean "logging from the standby device" but the same command still applies

Robin_Ottawa

ASKER

The config is replicated to the standby device automatically. How do I remove it?

Robin_Ottawa

ASKER

Nevermind, got it.. Question though. If the switch fails over, the Standby becomes active. Will syslog messages then come from the 'old' standby? or will they just stop?

Ironmannen

no logging standby
wr standby

Ironmannen

the new active will send the syslogs with the active ip (so you will no see that it is the former standby unit that is sending the syslogs)