1 Reply Latest reply on Feb 23, 2010 2:06 PM by ecklerwr1

    NPM Syslog and Firewalls

    dclick

      First off, not sure this is the right place for this, but I am curious if anyone has a suggestion on how to accomplish a task I have. 

      We currently have 2 syslog servers - kiwi Syslog and Orion SysLog service with NPM.  Due to policy, I have to send ALL messages via syslog from our Cisco AS5520's to the Kiwi server (informational and up). What i am wanting to do is setup a syslog entry that ONLY sends "notify" and above messages to orion.  Mainly, I am wanting to get those "Botnet" messages from the ASA to Orion so I can alert on them.

      I could setup the orion box as just another syslog server, and use the DB rules to limit the data, but in just over a week, the SysLog table grew to over 30gig. Makes things a little unmanageble.

      Any suggestions welcome. .Thanks!

        • Re: NPM Syslog and Firewalls
          ecklerwr1

          Can't you just setup the level of syslog messages you want sent to Orion on the ASA's like this:

          logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem] 
          
              logging trap severity_level 
          
              logging facility number
          Choose what severity level based on the following:
          http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logsev.html
           If that's not granular enough you can use logging list:

          Use the Message List

          Use the message list in order to include only the interested syslog messages by severity level and ID into a group, then associate this message list with the desired destination.

          Complete these steps in order to configure a message list.

          1. Enter the logging list message_list | level severity_level [class message_class] command in order to create a message list that includes messages with a specified severity level or message list.

          2. Enter the logging list message_list message syslog_id-syslog_id2 command in order to add additional messages to the message list just created.

          3. Enter the logging destination message_list command in order to specify the destination of the message list created.

          Example 2

          Issue these commands in order to create a message list, which includes all the severity 2 (critical) messages with the addition of message 611101 to 611323, and also have them sent to the console:

          logging list my_critical_messages level 2
          logging list my_critical_messages message 611101-611323
          logging console my_critical_messages 
          I would think it would be easier to limit the messages sent to NPM at the source then trying to do at NPM.