mshaikh22
asked on
cisco asa logging unusual logs to the kiwi syslog server.
Hi Experts,
I keep getting the following messages on the kiwi sys log server from the cisco asa firewall. I am trying to figure out, why are these being generated and how i can get more clarity on them.
11-30-2017 10:42:42 Local4.Warning 10.x.x.x Nov 30 2017 15:42:42 ciscoasa : %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 2 per second, max configured rate is 8; Current average rate is 20 per second, max configured rate is 4; Cumulative total count is 74899
This is my current config
FW# show run | i log
logging enable
logging timestamp
logging buffer-size 500000
logging buffered debugging
logging trap notifications
logging asdm informational
logging device-id hostname
logging host inside 10.x.x.2
logging host inside 10.x.x.26
logging permit-hostdown
logging class config buffered debugging
FW# show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
I keep getting the following messages on the kiwi sys log server from the cisco asa firewall. I am trying to figure out, why are these being generated and how i can get more clarity on them.
11-30-2017 10:42:42 Local4.Warning 10.x.x.x Nov 30 2017 15:42:42 ciscoasa : %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 2 per second, max configured rate is 8; Current average rate is 20 per second, max configured rate is 4; Cumulative total count is 74899
This is my current config
FW# show run | i log
logging enable
logging timestamp
logging buffer-size 500000
logging buffered debugging
logging trap notifications
logging asdm informational
logging device-id hostname
logging host inside 10.x.x.2
logging host inside 10.x.x.26
logging permit-hostdown
logging class config buffered debugging
FW# show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER