Cisco ASA logging to CentOS 7 rsyslog & logrotate
First of all install CentOS 7 and yum update it.
systemctl status rsyslog.service
If rsyslog is not installed:
yum install rsyslog
Edit rsyslog config (we'll use UDP for messages logging):
vi /etc/rsyslog.conf
search for imudp and uncomment:
$ModLoad imudp
$UDPServerRun 514
systemctl restart rsyslog
systemctl status rsyslog.service
For SELinux semanage packet:
yum install policycoreutils-python
To view which port are allowed by SELinux:
semanage port -l | grep syslog
See if rsyslog is listening to any ports:
ss -nlp | grep rsyslog
firewall-cmd --list-all # find zone name (mine is public)
Allow traffic for rsyslog in that zone:
firewall-cmd --permanent --zone=public --add-port=514/udp
systemctl restart firewalld.service
firewall-cmd --list-all
Creating files for ASA log:
cd /var/log
touch asa.log
vi /etc/syslog.conf
Log severity levels
There are eight in total as per Cisco’s definitions below:
- 0 = Emergencies => Extremely critical “system unusable” messages
- 1 = Alerts => Messages that require immediate administrator action
- 2 = Critical => A critical condition
- 3 = Errors => An error message (also the level of many access list deny messages)
- 4 = Warnings => A warning message (also the level of many other access list deny messages)
- 5 = Notifications => A normal but significant condition (such as an interface coming online)
- 6 = Informational => An informational message (such as a session being created or torn down)
- 7 = Debugging => A debug message or detailed accounting message
Facility - term used to properly identify devices syslog messages. To find ASA facility:
sh log set | grep Fac|fac
Default ASA facility is 20, which is corresponding to rsyslog local4 facility (facility 21 = syslog local5, facility 22 = syslog local6 etc.).
Create a new comment that fits your needs (below lines must be inserted right after #### RULES #### in rsyslog.conf otherwise all messages will be duplicated into messages and boot.log):
# Logs sent from the ASA IP 10.10.10.10 are saved to /var/log/asa.log file here we have 2 options:
# 1 Use facility to identify message (each equipment has predefined log facility, for example :
local4.info /var/log/asa.log
# 2 Use an IP address to identify message:
if $fromhost-ip=='10.10.10.10' then /var/log/asa.log
{
/var/log/asa.log
stop
}
# you can use any of two, but only one of them, otherwise all messages will be written twice to the same file
# 1 Use facility to identify message (each equipment has predefined log facility, for example :
local4.info /var/log/asa.log
# 2 Use an IP address to identify message:
if $fromhost-ip=='10.10.10.10' then /var/log/asa.log
{
/var/log/asa.log
stop
}
# you can use any of two, but only one of them, otherwise all messages will be written twice to the same file
In order for the changes to take effect we need to restart the syslog service.
systemctl restart rsyslog
Configure clock on an ASA (NTP or manual):
clock set 12:33:00 10 Sep 2018
show clock
clock timezone AZS 4
show clock
ASA logging destinations (ASA CLI parameters to logging command):
- console – logs are viewed in realtime while connecteng via Serial console
- asdm – logs can be viewed in the ASDM GUI.
- monitor – logs to a Telnet or SSH session.
- buffered – this is the internal memory buffer
- host – a remote syslog server IP and interface
- trap – severity for remote syslog
- mail – send generated logs via SMTP
- flow-export-syslogs – send event messages via NetFlow v9
Configure ASA logging to remote rsyslog server (also configuring buffer):
- enabling logging:
- logging enable
- enable timestamping of log messages:
- logging timestamp
- confgure buffer (when buffer filled up - oldest messages are overwritten):
- logging buffer-size 128000
- severity level for buffered logging:
- logging buffered warnings
- using informational severity:
- logging trap informational
- IP of the rsyslog server:
- logging host inside 10.10.10.20
- Verify logging settings:
- show logging setting
- Set up message logging queue (default is 512 messages, max queue size on ASA-5505 is 1024, on ASA-5510 is 2048 and 8192 on all other platforms):
- logging queue 1024
- show logging queue
Configure logrotate for asa.log:
cat /etc/logrotate.d/rotate_asa_log.conf
# name of the log-file :
/var/log/asa.log {
# rotate log daily :
daily
# keep 400 old log-files :
rotate 400
# compress old log-file after postscript execution :
compress
# rotate if log-file size equals or larger than 2GB :
size 2G
# add %Y%m%d to the end of the old log-file :
dateext
# use -%d%m%Y instead of the default %Y%m%d :
dateformat -%d%m%Y
# create empty asa.log file :
create 0644 root root
# don't issue an error if the log-file is missing :
missingok
# don't rotate if log-file is empty :
notifempty
# use one postrotate script for all log-files (if more than one) :
sharedscripts
# start of the postrotate script :
postrotate
# HUP signal to rsyslogd PID (read from syslogd.pid file)
# (actually bug > must be rsyslogd.pid instead of syslogd.pid)
# makes rsyslog close all open files and restart
# HUP signal make restart or just reread configs
# (it's based on daemon's itself behaviour)
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
# end of the postrotate script :
endscript
}
cat /etc/logrotate.d/rotate_asa_log.conf
# name of the log-file :
/var/log/asa.log {
# rotate log daily :
daily
# keep 400 old log-files :
rotate 400
# compress old log-file after postscript execution :
compress
# rotate if log-file size equals or larger than 2GB :
size 2G
# add %Y%m%d to the end of the old log-file :
dateext
# use -%d%m%Y instead of the default %Y%m%d :
dateformat -%d%m%Y
# create empty asa.log file :
create 0644 root root
# don't issue an error if the log-file is missing :
missingok
# don't rotate if log-file is empty :
notifempty
# use one postrotate script for all log-files (if more than one) :
sharedscripts
# start of the postrotate script :
postrotate
# HUP signal to rsyslogd PID (read from syslogd.pid file)
# (actually bug > must be rsyslogd.pid instead of syslogd.pid)
# makes rsyslog close all open files and restart
# HUP signal make restart or just reread configs
# (it's based on daemon's itself behaviour)
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
# end of the postrotate script :
endscript
}
Test logrotate script without actually rotating anything (-d is debug option and it implies -v verbose option):
logrotate -d /etc/logrotate.d/rotate_asa_log.conf
After testing you can force logrotate to rotate logs:
logrotate -f /etc/logrotate.d/rotate_asa_log.conf
To see last rotation of the log-file:
cat /var/lib/logrotate/logrotate.status | grep asa
"/var/log/asa.log" 2018-10-4-19:9:35
So the nex rotation will be done at time in logrotate.status + specified rotation interval (in out case it's "daily").
After testing you can force logrotate to rotate logs:
logrotate -f /etc/logrotate.d/rotate_asa_log.conf
To see last rotation of the log-file:
cat /var/lib/logrotate/logrotate.status | grep asa
"/var/log/asa.log" 2018-10-4-19:9:35
So the nex rotation will be done at time in logrotate.status + specified rotation interval (in out case it's "daily").
No comments:
Post a Comment