Solved

Fine-tuning cisco syslog messages generated by Cisco ASAs

Posted on 2013-01-19
4
1,631 Views
Last Modified: 2014-10-17
Hello,

I have been desperately trying to find the Cisco article, but back when ASA v.8.2 was around, I found an article written by Cisco which outlined the most common syslog messages, and which ones were safe to disable ("no logging message .."). It was really great at explaining the common messages and ones that were not technically duplicates but essentially the same. With that article I had safely disabled the following :

no logging message 106015
no logging message 313001
no logging message 313008
no logging message 419002
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

Open in new window


So we upgrade to 8.4 after getting the required RAM upgrade, and find out that we were getting practically no syslog messages at all. I had to remove these lines and am back with full informational logging, I really liked the number of messages generated before as it was enough to manage. Without those messages removed I'm getting about 600MB of logs per day, which is too much.

I know there must be a Cisco expert out there who has experience with tuning these! I really wish I could find that old article again... I suppose I could try looking up each syslog message in the 8.2 document and find the comparable one in 8.4+
0
Comment
Question by:RHarper-Ottawa
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
rscottvan earned 500 total points
ID: 38796694
This may be the article you're referring to:
Cisco Syslog Article

Rather than limit quantity of logs, I rotate and compress them daily, then retain them for a month.  That way I can look in detail at the messages if I'm troubleshooting something strange.  The compressed logs are usually less than 5% of the original size so they don't eat up too much disk.

Then I just run a script each day to dump what I want and email it to myself.  There's a pretty extensive list of stuff I exclude, you can see it in the first grep command.  The second couple greps are for events that show failed VPN logins.  

For daily review, this gets me a pretty meaningful look.

#!/bin/bash
#script to send mail for syslog review

#create log file
LogFile=/opt/sadm/<directory>/daily-syslog.log

#create temp file
TempFile=`mktemp`
echo 'about to attempt temp file creation'
echo 'created temp file ' $TempFile >$LogFile
echo 'created temp file ' $TempFile

#determine log file name
FileToParse=<fw-name>-a-priv.<company>.net-$(date +%m-%d-%Y -d "yesterday").log
echo 'Preparing to parse ' $FileToParse >>$LogFile
echo 'Preparing to parse ' $FileToParse

grep -v -P '.*ASA-6.*|.*ASA-7.*|.*Deny.*|.*CRYPTO.*|.*rancid.*|.*711004.*Dispatch Unit.*|.*TCP access denied by ACL.*|.*No matching connection.*|.*Group = .*|.*IKE.*|.*ARP.*collision.*|.*User.*executed.*|.*Denied ICMP.*|.*type 3, code.*|.*Begin configuration.*|.*last message repeated.*|.*Idle Timeout|.*SIP Parameter.*|.*Accessed URL 69.64.233.141.*|.*722012.*|.*722033.*|.*722041.*|.*722037.*|.*722051.*|.*722032.*|.*722028.*|.*500004.*|.*713904.*|.*717037.*|.*713257.*|.*431001.*Out of range sequence.*|.*722034.*|.*713201.*|.*722010.*' /var/log/remote/full/<fw-name>.<company>.net/$FileToParse >$TempFile

echo 'finished first log parse' >>$LogFile
echo 'finished first log parse'

grep 113015 /var/log/remote/full/<fw-name>-a-priv.<company>.net/$FileToParse >>$TempFile
grep 716039 /var/log/remote/full/<fw-name>-a-priv.<company>.net/$FileToParse >>$TempFile

echo 'finished second log parse, about to send email' >>$LogFile
echo 'finished second log parse, about to send email'

#email subject
SUBJECT="Daily Syslog Review - Site x"

#recipient
EMAIL="<me>@<company>.net"


#send the email
cat $TempFile | /bin/mail -s "$SUBJECT" "$EMAIL"

echo 'sent mail to ' $EMAIL ' with subject ' $SUBJECT >>$LogFile
echo 'sent mail to ' $EMAIL ' with subject ' $SUBJECT

rm -f $TempFile

Open in new window

0
 

Author Comment

by:RHarper-Ottawa
ID: 38796705
rscottvan,

Thanks for the info! You have a great procedure and I should definitely implement something similar. The reason I am trying to reduce messages at the source is because I am using Splunk Free as my syslog server, and the free version has a 500MB daily limit. With full informational logging on I'm getting about 530MB/day of logs, and I recall I had it around 100MB/day when tweaked.

Also, I think that was the article indeed, although from reading it, it seems obvious why I wasn't getting important messages (106015, 106023 etc).. I'm not sure why i had those excluded..

What syslog software are you using? And what does that script run on?

Thanks again
0
 
LVL 10

Expert Comment

by:rscottvan
ID: 38797004
Scientific Linux and rsyslog.  So, the server and syslog daemon are open (free).

The script is just a Linux shell script.
0
 
LVL 1

Expert Comment

by:Sean Hull CCIE 2052
ID: 40387240
Actually in ADSM if you click on the Configure Then the gears to the right of the home syslog page then click on syslog servers "logging destination" you can change the logging levels to ADSM and your syslog server. By changing the syslog server logging filters you can change the severity to critical or errors for syslog that will reduce the amount of syslog messages..

Enjoy!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Viber-Only Restriction 6 45
Vlan extend across 2 switches 16 25
cisco sg 200 trunking 4 26
Guest Wi-Fi Time out 3 23
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question