![](https://secure.gravatar.com/avatar/c71569e4b2b6287abd8ccf655d3870ca.jpg?s=120&d=mm&r=g)
I'd like to fully search on an 'column', a la 'ladder logic' style., as well as have the data presented in an orderly well-defined fashion.
Yes, Splunk. See: http://www.networkworld.com/reviews/2011/092611-splunk-test-250836.html for a recent Network World test of Splunk which may help. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms@Opus1.COM http://www.opus1.com/jms
![](https://secure.gravatar.com/avatar/186d1ba262bf9ba77179f3b9e89302d5.jpg?s=120&d=mm&r=g)
Completely agree with splunk for log searching / analysis, even has some ASA/PIX modules. Please note, unless something has changed that I completely missed, an ASA/PIX will stop forwarding user traffic if it is configured for tcp syslogs and the connection breaks. (no more disk, network issue, etc) This is based on the premise that a system cannot be considered secure if the audit trail is unavailable, and tcp syslogging(vs udp) is usually used to make sure you don't miss an entry due to a dropped packet. Something that dates back to the old C2 security standard??(not sure of the current version). Typically this requires admin intervention (by design) to clear the condition. If you use udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails. With that said, there may be a command I'm unaware of that allows a tcp syslog to fail and not block traffic. ~jdh -----Original Message----- From: Joel M Snyder [mailto:Joel.Snyder@Opus1.COM] Sent: Sunday, November 20, 2011 12:11 AM To: nanog@nanog.org Subject: Re: ASA log viewer
I'd like to fully search on an 'column', a la 'ladder logic' style., >as well as have the data presented in an orderly well-defined fashion.
Yes, Splunk. See: http://www.networkworld.com/reviews/2011/092611-splunk-test-250836.html for a recent Network World test of Splunk which may help. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms@Opus1.COM http://www.opus1.com/jms ______________________________________________________________________________________________________ The information contained in this electronic message and any attachments is confidential, is for the sole use of the intended recipient(s) and may contain privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, you must not read, use or disseminate the information, and should immediately contact the sender by reply email and destroy all copies of the original message.
![](https://secure.gravatar.com/avatar/eecbf7e24efbd89a4addda2a5adbda06.jpg?s=120&d=mm&r=g)
The logging host command enables a secure connection via TLS, and to configure use of a TCP port for logging. e.g., interface_name syslog_ip[tcp/port] [emblem format] [secure] Also, when you do a sho log, do you have the following set? Deny Conn when Queue Full: disabled On November 20, 2011 at 7:42 AM Joe Happe <Joe.Happe@archlearning.com> wrote:
Completely agree with splunk for log searching / analysis, even has some ASA/PIX modules. Please note, unless something has changed that I completely missed, an ASA/PIX will stop forwarding user traffic if it is configured for tcp syslogs and the connection breaks. (no more disk, network issue, etc) This is based on the premise that a system cannot be considered secure if the audit trail is unavailable, and tcp syslogging(vs udp) is usually used to make sure you don't miss an entry due to a dropped packet. Something that dates back to the old C2 security standard??(not sure of the current version). Typically this requires admin intervention (by design) to clear the condition. If you use udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails. With that said, there may be a command I'm unaware of that allows a tcp syslog to fail and not block traffic.
~jdh
-----Original Message----- From: Joel M Snyder [mailto:Joel.Snyder@Opus1.COM] Sent: Sunday, November 20, 2011 12:11 AM To: nanog@nanog.org Subject: Re: ASA log viewer
>I'd like to fully search on an 'column', a la 'ladder logic' style., >as well as have the data presented in an orderly well-defined fashion.
Yes, Splunk.
See: http://www.networkworld.com/reviews/2011/092611-splunk-test-250836.html
for a recent Network World test of Splunk which may help.
jms
-- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms@Opus1.COM http://www.opus1.com/jms
______________________________________________________________________________________________________
The information contained in this electronic message and any attachments is confidential, is for the sole use of the intended recipient(s) and may contain privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, you must not read, use or disseminate the information, and should immediately contact the sender by reply email and destroy all copies of the original message.
![](https://secure.gravatar.com/avatar/cf606aae6c405c2c0bff3c43d8e6c055.jpg?s=120&d=mm&r=g)
I think it was ASA 8.3 that began to provide an option to NOT cease functionality when tcp syslog server was unreachable. In ASDM, it is a checkbox at the bottom of the logging servers config section. Sent from my iPhone On Nov 20, 2011, at 7:43, Joe Happe <Joe.Happe@archlearning.com> wrote:
Completely agree with splunk for log searching / analysis, even has some ASA/PIX modules. Please note, unless something has changed that I completely missed, an ASA/PIX will stop forwarding user traffic if it is configured for tcp syslogs and the connection breaks. (no more disk, network issue, etc) This is based on the premise that a system cannot be considered secure if the audit trail is unavailable, and tcp syslogging(vs udp) is usually used to make sure you don't miss an entry due to a dropped packet. Something that dates back to the old C2 security standard??(not sure of the current version). Typically this requires admin intervention (by design) to clear the condition. If you use udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails. With that said, there may be a command I'm unaware of that allows a tcp syslog to fail and not block traffic.
~jdh
![](https://secure.gravatar.com/avatar/abb6bbc9e4ada2971b6e6cd677b9766e.jpg?s=120&d=mm&r=g)
On Sun, Nov 20, 2011 at 6:42 AM, Joe Happe <Joe.Happe@archlearning.com> wrote:
udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails. With that said, there may be a command I'm unaware of that allows a tcp syslog to fail and not block traffic.
Yes. logging permit-hostdown However, if you don't need to refuse connections when TCP syslog fails, then you don't need 100% of your syslog messages, you should use UDP syslog for performance. TCP just makes sure you will get all syslog messages between time A and time B or none of them. If there are WAN issues, there are many cases where one would prefer SOME syslog messages, with an understanding that the network bottleneck means messages are being lost, rather than few/no syslog messages to help debug the issue -- -JH
![](https://secure.gravatar.com/avatar/78f2899d79cf33830e44e53ccb33b14e.jpg?s=120&d=mm&r=g)
I guess this depends on how aggressive the TCP reconnection algorithm is vs. the packet loss of UDP... On the other hand, does ASA support "buffering" of syslog messages while TCP is down? I believe on some IOS platforms, with the right syslog options, it has the capability of queuing and delivering syslog messages generated during a period of network outage once the syslog session is re-established. Does ASA do this, or discard them? Now on the other hand, never route two ASAs to one another (IE: summary route design). They don't decrement TTL by default. I had one case where a loopy route got installed and the traffic just kept ping-ponging back and forth maxing the port. The brutal part was not the pegged port, but rather the many megabits of udp syslog that resulted that the WAN link couldn't handle. decrement-ttl and logging rate-limit are now on as a result. On the other hand, TCP syslog would have handled it much better without a denial of service condition. On Sun, Nov 20, 2011 at 3:33 PM, Jimmy Hess <mysidia@gmail.com> wrote:
udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails. With that said, there may be a command I'm unaware of
On Sun, Nov 20, 2011 at 6:42 AM, Joe Happe <Joe.Happe@archlearning.com> wrotewi: that allows a tcp syslog to fail and not block traffic.
Yes. logging permit-hostdown
However, if you don't need to refuse connections when TCP syslog fails, then you don't need 100% of your syslog messages, you should use UDP syslog for performance.
TCP just makes sure you will get all syslog messages between time A and time B or none of them. If there are WAN issues, there are many cases where one would prefer SOME syslog messages, with an understanding that the network bottleneck means messages are being lost, rather than few/no syslog messages to help debug the issue
-- -JH
![](https://secure.gravatar.com/avatar/cf606aae6c405c2c0bff3c43d8e6c055.jpg?s=120&d=mm&r=g)
On Sun, Nov 20, 2011 at 17:33, Jimmy Hess <mysidia@gmail.com> wrote:
Yes. logging permit-hostdown
However, if you don't need to refuse connections when TCP syslog fails, then you don't need 100% of your syslog messages, you should use UDP syslog for performance.
TCP just makes sure you will get all syslog messages between time A and time B or none of them. If there are WAN issues, there are many cases where one would prefer SOME syslog messages, with an understanding that the network bottleneck means messages are being lost, rather than few/no syslog messages to help debug the issue
-- -JH
Except you can't do syslog via TLS with UDP. :-/ -- Duane Toler detoler@gmail.com
participants (6)
-
Duane Toler
-
Jimmy Hess
-
jjanusze@wd-tek.com
-
Joe Happe
-
Joel M Snyder
-
PC