topic SYS logging an ASA in Splunk Search

SYS logging an ASA

bazcurtis — Tue, 12 Jul 2011 18:28:57 GMT

Hi,

I have installed the Cisco Security suite and Cisco Firewall apps. I have setup UDP port 514 and told the ASA to send the logs to the Splunk server, but I see no data. What have I missed that I have no ASA data in Splunk?

Any help would be most welcome.

Best wishes

Michael

Re: SYS logging an ASA

dwaddle — Tue, 12 Jul 2011 20:06:44 GMT

You could be having firewall issues, if your host running Splunk is also running a firewall (iptables / Windows Defender / etc). You need to make sure UDP:514 is open on your Splunk indexer from a firewall perspective. Also check the output of netstat to make sure that Splunk is listening on port 514. (You did restart Splunk didn't you?)

If this doesn't work out, please update your question with output of show logging on the ASA, as well as your Splunk inputs.conf file and someone will be able to further assist. The easiest way of getting the inputs.conf would be to do a splunk cmd btool --debug inputs list.

Re: SYS logging an ASA

bazcurtis — Mon, 18 Jul 2011 17:02:42 GMT

Hi,

Thanks for replying. I deleted the 514 udp port, restarted and then remade the 514 from within Splunk Cisco Firewalls.

I now have data coming into Splunk. What is the best level of logging to set on ASA. Is Information enough? I understand I could generate huge amounts of logs if I wanted to, but what level do most people think is a balance?

Best wishes

Michael

Re: SYS logging an ASA

dwaddle — Mon, 18 Jul 2011 20:20:20 GMT

We run our ASA's in DEBUG logging because that is where the various connection opened / closed messages are logged. And, yes, it does generate substantial data. All of our firewalls (not all splunked at this time unfortunately) generate nearly 10GB/day of logs.