Re: ASA log viewer

[Duane Toler <detoler () gmail com>]

I think it was ASA 8.3 that began to provide an option to NOT cease
functionality when tcp syslog server was unreachable. In ASDM, it is a
checkbox at the bottom of the logging servers config section.

Sent from my iPhone

On Nov 20, 2011, at 7:43, Joe Happe <Joe.Happe () archlearning com> wrote:

> Completely agree with splunk for log searching / analysis, even has some ASA/PIX modules.  Please note, unless 
> something has changed that I completely missed, an ASA/PIX will stop forwarding user traffic if it is configured for 
> tcp syslogs and the connection breaks.  (no more disk, network issue, etc) This is based on the premise that a system 
> cannot be considered secure if the audit trail is unavailable, and tcp syslogging(vs udp) is usually used to make 
> sure you don't miss an entry due to a dropped packet.  Something that dates back to the old C2 security 
> standard??(not sure of the current version).   Typically this requires admin intervention (by design) to clear the 
> condition.   If you use udp for syslog the ASA won't be in this mode, and you won't block traffic if syslog fails.  
> With that said, there may be a command I'm unaware of that allows a tcp syslog to fail and not block traffic.
>
> ~jdh