RHarper-Ottawa
asked on
Fine-tuning cisco syslog messages generated by Cisco ASAs
Hello,
I have been desperately trying to find the Cisco article, but back when ASA v.8.2 was around, I found an article written by Cisco which outlined the most common syslog messages, and which ones were safe to disable ("no logging message .."). It was really great at explaining the common messages and ones that were not technically duplicates but essentially the same. With that article I had safely disabled the following :
So we upgrade to 8.4 after getting the required RAM upgrade, and find out that we were getting practically no syslog messages at all. I had to remove these lines and am back with full informational logging, I really liked the number of messages generated before as it was enough to manage. Without those messages removed I'm getting about 600MB of logs per day, which is too much.
I know there must be a Cisco expert out there who has experience with tuning these! I really wish I could find that old article again... I suppose I could try looking up each syslog message in the 8.2 document and find the comparable one in 8.4+
I have been desperately trying to find the Cisco article, but back when ASA v.8.2 was around, I found an article written by Cisco which outlined the most common syslog messages, and which ones were safe to disable ("no logging message .."). It was really great at explaining the common messages and ones that were not technically duplicates but essentially the same. With that article I had safely disabled the following :
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 419002
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020So we upgrade to 8.4 after getting the required RAM upgrade, and find out that we were getting practically no syslog messages at all. I had to remove these lines and am back with full informational logging, I really liked the number of messages generated before as it was enough to manage. Without those messages removed I'm getting about 600MB of logs per day, which is too much.
I know there must be a Cisco expert out there who has experience with tuning these! I really wish I could find that old article again... I suppose I could try looking up each syslog message in the 8.2 document and find the comparable one in 8.4+
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Scientific Linux and rsyslog. So, the server and syslog daemon are open (free).
The script is just a Linux shell script.
The script is just a Linux shell script.
Actually in ADSM if you click on the Configure Then the gears to the right of the home syslog page then click on syslog servers "logging destination" you can change the logging levels to ADSM and your syslog server. By changing the syslog server logging filters you can change the severity to critical or errors for syslog that will reduce the amount of syslog messages..
Enjoy!
Enjoy!
ASKER
Thanks for the info! You have a great procedure and I should definitely implement something similar. The reason I am trying to reduce messages at the source is because I am using Splunk Free as my syslog server, and the free version has a 500MB daily limit. With full informational logging on I'm getting about 530MB/day of logs, and I recall I had it around 100MB/day when tweaked.
Also, I think that was the article indeed, although from reading it, it seems obvious why I wasn't getting important messages (106015, 106023 etc).. I'm not sure why i had those excluded..
What syslog software are you using? And what does that script run on?
Thanks again