Install a syslog-ng server
Complete the following steps to configure a Linux-based syslog server to send your Cisco Active Security Appliance (ASA) deployment-related syslog messages:
Determine the size of your Cisco ASA logs
Each firewall message is approximately 230 bytes, and users typically see one message per connection. As a best practice, use logging-allowed connections and denied connections. The log volume depends on the size of your ASA device.
Using only Cisco’s built-in tools, use the show ip inspect statistics
command to see how many connections occur since your last reset.
The following table shows approximate sizes of logs per type of service:
Service | Approximate size of log |
---|---|
Edge Firewall | Negligible |
Zone Firewall | 230 bytes per event |
VPN Services | 10 Kb per session + firewall activity |
Operational | Approximately <200 MB per day per ASA |
Install a syslog-ng server
To install a syslog-ng server, complete the following steps:
- (Optional) Uninstall rsyslog if it shipped with your deployment:
sudo rpm -e --nodeps rsyslog
- Install syslog-ng using
yum
:sudo yum-get install syslog-ng
- Configure
yum
to search the EPEL repo:
sudo yum --enablerepo=epel install syslog-ng
- (Optional) Install the
syslog-ng-libdbi
module to prevent a warning message from appearing each time syslog-ng starts:
sudo yum install --enablerepo=epel syslog-ng-libdbi
- Once you complete the installation, start syslog-ng:
sudo systemctl start syslog-ng.service sudo systemctl enable syslog-ng.service
- Verify that syslog-ng is running by checking for a pid:
pidof syslog-ng
Add Cisco ASA data to your Splunk Cloud deployment | Configure a syslog-ng server |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!