6 Replies Latest reply on Jun 12, 2012 10:21 AM by phil3

    missing Cisco ASA syslog message

    DelawareCity

      I am trying to build a filter to show message asa-4-113019 which is a VPN disconnect message. The filter is showing zero messages even after I I connected to the ASA vpn and disconnected. I can see the message in my older kiwi syslog server but not in LEM. Is it possible this syslog event is not being normailized correctly?

       

       


        • Re: missing Cisco ASA syslog message
          phil3

          Are you seeing anything at all from that device? If you are, I'd recommend you start with a filter or nDepth search for the Tool Alias associated with the device. That will show you everything from the device, and then you'll be able to truly see what LEM is and isn't collecting/normalizing.

           

          If you do this and you find the alert is missing or even misnamed/incomplete/etc., open a Support ticket and we'll take a closer look.

           

          On the other hand, if LEM isn't showing anything from this device, check to make sure it's logging appropriately and that you've configured the right connector.

           

          Here are some knowledge base articles that should help:

           

          Thanks.

           

          Phil

            • Re: missing Cisco ASA syslog message
              DelawareCity

              I cannot find the entry in ndepth. I just tried another VPN connect and disconnect. In Kiwi syslog, I see this message when I disconnect (sensitive info replaced by *****):

               

              2012-06-11 13:20:52 Local2.Warning 10.10.9.1 Jun 11 2012 13:20:52: %ASA-4-113019: Group = *****, Username = *****, IP = *****, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:06m:48s, Bytes xmt: 257, Bytes rcv: 63, Reason: Lost Service

               

              I cannot seem to find this message in LEM at all. I tried searching ndepth for provider sid ASA-4-113019. I also tried searching for the username and IP address. I see syslog messages showing the connection of the username and IP but not this disconnect message.

               


                • Re: missing Cisco ASA syslog message
                  phil3

                  To clarify: Are you seeing anything from that ASA firewall in your LEM console?

                    • Re: missing Cisco ASA syslog message
                      DelawareCity

                      Yes, I have lots of information from my firewall in LEM. All of my filters for my firewall work great except for the filter for the ASA-4-113019. I had been using this syslog message to build VPN reports in my old MARS appliance since it includes username, connected IP, bytes transferred and duration.

                        • Re: missing Cisco ASA syslog message
                          phil3

                          I'm checking with Support to see if there are any known issues with this connector, but you will likely have to open a case to do more targeted troubleshooting. If you open a ticket, please post the ticket number here and keep us posted if you come to a resolution.

                          • Re: missing Cisco ASA syslog message
                            phil3

                            I got some feedback from Support and Engineering, and they say it looks like your syslog configuration is an a nonstandard format. The connector is confused because the "Local2.Warning" is being logged before the IP address. Do you know if this has been altered at all from the default configuration?

                            • If you've modified the format, try changing it back to the default format.
                            • If you haven't modified the format, please open a Support ticket to send us a log sample so we can take a closer look.

                             

                            I hope this helps. Thanks.