ASA logging

A couple questions about asa syslogging for compliance reasons. What is best practice logging level to send to a syslog server. If debugging is sent the server is going to need a lot of room to keep for any period of time.

Second question how do you store events on an asa-aip-ssm-20 to a syslog server or some external place to keep for logging purposes. I would assume the module itself can only hold a certain amount of logs until it overwrites itself

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Ahriakin

The Syslog level is purely down to policy, don't break policy for the sake of saving on hardware as it may come back to haunt you (and yes I know the very people who may tell you to keep costs down on the logging server are the ones who will burn you if there's an incident and logs are missing due to lack of capacity, at least have the requests recorded by email or whatever).
Anyway checkout Splunk, it's free up to a certain level and a brilliant syslog tool. Then there's always Kiwi Syslog Daemon. Personally I wouldn't log lower than informational unless you are debugging specific processes for troubleshooting.

For the IPS modules try the Cisco IME - Cisco IPS Manager Express - Products & Services - Cisco Systems .

fightclub34

Thanks ahriakin

I was thinking informational too. We will be using kiwi syslog. Will ips manager store logs for a long period of time or will ips manager convert to syslog and i can then send those syslogs to kiwi.