I am trying to see if the Cisco Security Suite will provide benefit in using the following logging levels or if they can be disabled:
logging buffered informational
logging trap informational
logging history informational
logging asdm informational
Ultimately, we are trying to tailor our logging to fit Splunk and I am trying to see what the best logging configuration is for the ASA's in our environment to be set at to provide the best visibility. It sounds like not necessarily everything needs to be enabled though. Where do I find this information?
So for an ASA sending data to Splunk the only one of those destinations that matters is "trap". The logging to buffered, or history, or adsm do not go to syslog and then to Splunk. A better question is whether you should be logging at 'informational' or 'debug'. In most ASA setups, you really need the 'debug' level logging in order to get the (highly highly highly) verbose connection opened / closed logs. Otherwise you may only denies - which are maybe not as useful.
Are you saying use this setup for ASAs in order to get the most useful information? Normally on other systems I refrain from debug except when troubleshooting due to the extreme volume of logs that are created. Is that true with Cisco? I have concerns about overunning my 50 GB per day quota. We have two 5585s on a 200MB per second MOE circuit.
Send Debug Log Messages to a Syslog Server
For advanced troubleshooting, feature/protocol specific debug logs are required. By default, these log messages are displayed on terminal (SSH/Telnet). Dependent on the type of debug, and the rate of debug messages generated, use of the CLI might prove difficult if debugs are enabled. Optionally, debug messages can be redirected to the syslog process and generated as syslogs. These syslogs can be sent to any syslog destination as would any other syslog. In order to divert debugs to syslogs, enter the logging debug-trace command. This configuration sends debug output, as syslogs, to a syslog server.
logging trap debugging
logging host inside 172.22.1.5
So the thing you'll get from an ASA in debug mode is per-connection open and close events. These look like this:
Dec 11 08:01:31 <IP> %ASA-6-302013: Built outbound TCP connection 447236 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:OCSP_Server/<port> (OCSP_Server/<port>) Dec 11 08:01:31 <IP> %ASA-6-302013: Built outbound TCP connection 447236 for outside:KAV_Update_Server/<port> (KAV_Update_Server/<port>) to dmz:OCSP_Server/<port> (OCSP_Server/<port>) Dec 11 08:01:31 <IP> %ASA-6-302014: Teardown TCP connection 447236 for outside:KAV_Update_Server/<port> to dmz:OCSP_Server/<port> duration 0:00:00 bytes 14804 TCP FINs Dec 11 08:01:38 <IP> %ASA-6-302014: Teardown TCP connection 447234 for outside:KAV_Update_Server/<port> to dmz:TSP_Server/<port> duration 0:01:08 bytes 134781 TCP FINs Dec 11 08:01:38 <IP> %ASA-6-302014: Teardown TCP connection 447234 for outside:KAV_Update_Server/<port> to dmz:TSP_Server/<port> duration 0:01:08 bytes 134781 TCP FINs
And some others - these are just examples. But, the point being, for forensic purposes these logs are invaluable. But, they do take up a lot of license quota - because of their verbosity and getting two events minimum for every connection through the firewall. The original question asked about the "best" logging level for ASAs, and I took that to mean "the one that provides the most useful forensic details available"