Cisco ASA TCP Syslog Problem

I ran today into a big problem with configuring an TCP syslog server on an Cisco ASA.

logging host "interface_name" "server_ip" tcp/514

After I put in the configuration and someone from the server administration restarted the syslog server and suddenly the whole communication through the ASA stopped working completely.

I saw the following messages in the ADSM and quickly realised that this could be only caused by the TCP logging configuration.

%ASA-3-201008: Disallowing new connections

I didn’t looked before if the feature is disabled to block new connections when a TCP-connected syslog server is down. This is very important that you disable the feature before you configure TCP syslog servers otherwise you ran into the same problem like me.

Here the command to disable the feature:

logging permit-hostdown

In my case I just forgot to check before and will definitively remember for the next time 😉

Configure syslog server on F5 BIG-IP

Syslog servers are a great idea they centralise all your logs from your Servers and networking devices.

I used for the syslog server the following command

bigpipe syslog remote server 'syslog-srv.local-domain.com' host 10.1.1.100 add

After that everything looked fine and I saw syslog messages but I got lots of informational messages and the following debug message.

debug snmpd[PID]: error on subcontainer 'ia_addr' insert (-1)

For the debug message I found a solution on AskF5: http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12136.html?sr=16487442

There is saw that I went the wrong way of configuring syslog on my load balancer, I also needed to set the log level for remote syslog server. Here the solution from F5: http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html

1. Log in to the command line of the BIP-IP

2. Create in /tmp/syslog.inc file with the syslog configuration.

syslog include "
filter f_remote_loghost {
level(notice..emerg);
};
destination d_loghost {
udp(\"10.1.1.100\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_loghost);
};
"

3. To remove the currently configured remote syslog servers, type the following command:
Important: This step disables all remote logging.

[[email protected]:Active] tmp # b syslog remote server none

4. Copy the changes into the configuration

[[email protected]:Active] tmp # bpsh < /tmp/syslog.inc

5. Refresh and start syslog deamon

[[email protected]:Active] tmp # syslog-ng -s

6. Save the configuration

[[email protected]:Active] tmp # b save all
/config/bigip_base.conf was renamed to /config/bigip_base.conf.bak (86 lines).
/config/bigip_sys.conf was renamed to /config/bigip_sys.conf.bak (66 lines).
/config/bigip.conf was renamed to /config/bigip.conf.bak (894 lines).
/config/bigip_local.conf was renamed to /config/bigip_local.conf.bak (1 lines).
[[email protected]:Active] tmp #

If the new logging configuration is not working as expected, make the desired changes to the /tmp/syslog.inc file and return to Step 2.

When the syslog-ng -s command reports the following error message:

# syslog-ng -s syntax error at 751

Remove the syslog include entries by typing the following command:

bigpipe syslog include none

Review the import configuration for syntax errors before attempting to re-import by typing the command listed in Step 2.