[146705] in North American Network Operators' Group
Re: ASA log viewer
daemon@ATHENA.MIT.EDU (Duane Toler)
Sun Nov 20 14:49:42 2011
From: Duane Toler <detoler@gmail.com>
In-Reply-To: <B3EFDDF4FEB4EA4B860629A6EAB0A7B705632E27@SIDFWCRPMBX002.us.si.lan>
Date: Sun, 20 Nov 2011 14:48:17 -0500
To: Joe Happe <Joe.Happe@archlearning.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I think it was ASA 8.3 that began to provide an option to NOT cease
functionality when tcp syslog server was unreachable. In ASDM, it is a
checkbox at the bottom of the logging servers config section.
Sent from my iPhone
On Nov 20, 2011, at 7:43, Joe Happe <Joe.Happe@archlearning.com> wrote:
> Completely agree with splunk for log searching / analysis, even has some =
ASA/PIX modules. Please note, unless something has changed that I complete=
ly missed, an ASA/PIX will stop forwarding user traffic if it is configured=
for tcp syslogs and the connection breaks. (no more disk, network issue, =
etc) This is based on the premise that a system cannot be considered secure=
if the audit trail is unavailable, and tcp syslogging(vs udp) is usually u=
sed to make sure you don't miss an entry due to a dropped packet. Somethin=
g that dates back to the old C2 security standard??(not sure of the current=
version). Typically this requires admin intervention (by design) to clea=
r the condition. If you use udp for syslog the ASA won't be in this mode,=
and you won't block traffic if syslog fails. With that said, there may be=
a command I'm unaware of that allows a tcp syslog to fail and not block tr=
affic.
>
> ~jdh
>
