This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

NPM Syslog and Firewalls

First off, not sure this is the right place for this, but I am curious if anyone has a suggestion on how to accomplish a task I have. 

We currently have 2 syslog servers - kiwi Syslog and Orion SysLog service with NPM.  Due to policy, I have to send ALL messages via syslog from our Cisco AS5520's to the Kiwi server (informational and up). What i am wanting to do is setup a syslog entry that ONLY sends "notify" and above messages to orion.  Mainly, I am wanting to get those "Botnet" messages from the ASA to Orion so I can alert on them.

I could setup the orion box as just another syslog server, and use the DB rules to limit the data, but in just over a week, the SysLog table grew to over 30gig. Makes things a little unmanageble.

Any suggestions welcome. .Thanks!

  • Can't you just setup the level of syslog messages you want sent to Orion on the ASA's like this:

    logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem] 
    
        logging trap severity_level 
    
        logging facility number
    Choose what severity level based on the following:
    http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logsev.html
     If that's not granular enough you can use logging list:

    Use the Message List

    Use the message list in order to include only the interested syslog messages by severity level and ID into a group, then associate this message list with the desired destination.

    Complete these steps in order to configure a message list.

    1. Enter the logging list message_list | level severity_level [class message_class] command in order to create a message list that includes messages with a specified severity level or message list.

    2. Enter the logging list message_list message syslog_id-syslog_id2 command in order to add additional messages to the message list just created.

    3. Enter the logging destination message_list command in order to specify the destination of the message list created.

    Example 2

    Issue these commands in order to create a message list, which includes all the severity 2 (critical) messages with the addition of message 611101 to 611323, and also have them sent to the console:

    logging list my_critical_messages level 2
    logging list my_critical_messages message 611101-611323
    logging console my_critical_messages 
    I would think it would be easier to limit the messages sent to NPM at the source then trying to do at NPM.