Cisco ASA 和系统日志服务器丢失的日志

网络工程 思科-ASA 防火墙 系统日志
2022-02-25 16:41:23

我想在将系统日志从 Cisco ASA 5555-X 发送到系统日志服务器 graylog 3.2.1 方面获得一些帮助。运行以下设置时,我可以使用 show logging 命令在缓冲区中看到很多信息。

logging enable
logging timestamp
logging emblem
logging buffer-size 52428800
logging buffered informational
logging trap informational
logging asdm debugging
logging device-id hostname
logging host INTERFACE 172.23.35.40 17/1514
logging permit-hostdown

但不在我的系统日志服务器中。例如,我看不到以下内容:

<164>:Mar 25 13:57:05 CEST: %ASA-session-4-106023: Deny udp src UTB:172.22.44.54/51156 dst outside:216.58.207.226/443 by access-group "UTB_access_in" [0x0, 0x0]
<164>:Mar 25 13:57:05 CEST: %ASA-session-4-106023: Deny udp src UTB:172.22.36.51/59611 dst outside:172.217.21.142/443 by access-group "UTB_access_in" [0x0, 0x0]
<164>:Mar 25 13:57:05 CEST: %ASA-session-4-106023: Deny udp src UTB:172.22.44.54/60177 dst outside:172.217.21.130/443 by access-group "UTB_access_in" [0x0, 0x0]
<164>:Mar 25 13:57:05 CEST: %ASA-session-4-106023: Deny udp src UTB:172.22.37.45/60442 dst outside:217.115.45.205/443 by access-group "UTB_access_in" [0x0, 0x0]
<164>:Mar 25 13:57:05 CEST: %ASA-session-4-106023: Deny udp src UTB:172.22.41.83/61641 dst outside:216.58.207.200/443 by access-group "UTB_access_in" [0x0, 0x0]
<164>:Mar 25 13:57:05 CEST: %ASA--4-434002: SFR requested to drop TCP packet from outside:23.21.154.58/443 to GUEST:X.X.X.X/37703
<164>:Mar 25 13:57:05 CEST: %ASA--4-434002: SFR requested to drop TCP packet from outside:23.21.154.58/443 to GUEST:X.X.X.X/37703
<164>:Mar 25 13:57:44 CEST: %ASA--4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 39 per second, max configured rate is 10; Current average rate is 65 per second, max configured rate is 5; Cumulative total count is 39313

例如,我只能在我的系统日志服务器上看到以下内容:

Mar 25 2020 13:57:44 ASA-INET : %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 39 per second, max configured rate is 10; Current average rate is 65 per second, max configured rate is 5; Cumulative total count is 39313

那么所有其他 106023 和 434002 系统日志消息呢?是否无法将这些 syslog 消息发送到 syslog 服务器,或者它与我的 graylog 服务器有关?

我在我的防火墙和 graylog 服务器之间建立了一个 tcpdump,似乎所有的 syslog 消息都没有击中防火墙,怎么会?我正在使用关于陷阱和缓冲的信息,但它们是不同的。

root@graylog01:/etc/elasticsearch# tcpdump -i ens32 port 1514 -v
tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
12:21:55.746278 IP (tos 0x0, ttl 254, id 23460, offset 0, flags [none], proto UDP (17), length 279)
    172.28.30.6.syslog > graylog01.1514: SYSLOG, length: 251
        Facility local4 (20), Severity warning (4)
        Msg: Mar 26 2020 13:21:55 ASA-INET : %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 39 per second, max configured rate is 10; Current average rate is 78 per second, max configured rate is 5; Cumulative total count is 47104\0x0a
12:22:05.377095 IP (tos 0x0, ttl 254, id 13258, offset 0, flags [none], proto UDP (17), length 189)
    172.28.30.6.syslog > graylog01.1514: SYSLOG, length: 161
        Facility local4 (20), Severity notice (5)
        Msg: Mar 26 2020 13:22:05 ASA-INET : %ASA-5-737003: IPAA: Session=0x0fd2c000, DHCP configured, no viable servers found for tunnel-group 'SSLVPN-Tunnelgroup'\0x0a
12:22:05.377164 IP (tos 0x0, ttl 254, id 1287, offset 0, flags [none], proto UDP (17), length 156)
    172.28.30.6.syslog > graylog01.1514: SYSLOG, length: 128
        Facility local4 (20), Severity info (6)
        Msg: Mar 26 2020 13:22:05 ASA-INET : %ASA-6-737026: IPAA: Session=0x0fd2c000, Client assigned 172.21.11.211 from local pool\0x0a
12:22:05.377168 IP (tos 0x0, ttl 254, id 16293, offset 0, flags [none], proto UDP (17), length 177)
    172.28.30.6.syslog > graylog01.1514: SYSLOG, length: 149
        Facility local4 (20), Severity info (6)
        Msg: Mar 26 2020 13:22:05 ASA-INET : %ASA-6-737006: IPAA: Session=0x0fd2c000, Local pool request succeeded for tunnel-group 'SSLVPN-Tunnelgroup'\0x0a
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇调整 Sophos Firewall SSL VPN 配置以实现高吞吐量和低延迟 下一篇在支持大量用户的无线路由器中,我应该注意什么?