Page 1 of 2
All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 11:34 am
by malcolmleek
I'm not sure why but all syslogs received from my Cisco ASA comes in as a "Severity" 0 and "Severity_Label" Emergency. I checked the firewall and the messages are of different severity's (like 4 or 6) but Nagios LS is not categorizing correctly. This creats problems with filtering and alerting because I can't filter them out.
Help me Obi-Wan Kenobi. You're my only hope.
Re: All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 11:51 am
by cdienger
It sounds like something isn't parsing correctly. Can you share a sample of the firewall logs?
Re: All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 1:34 pm
by malcolmleek
Yes, I can. I'm not sure what you would like to see though.
Re: All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 1:36 pm
by malcolmleek
Sure. Whic logs would you like to see?
Re: All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 2:57 pm
by cdienger
I'd like to see the raw log messages that are getting sent over and try parsing them on a lab machine to see why they are not parsing. You can just expand the events seen in the NLS dashboard and copy the message field.
Re: All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 3:07 pm
by malcolmleek
10.100.11.17 syslog <164>%ASA-4-106023: Deny udp src LAN-DMZ:172.20.#.#/64603 dst identity:229.111.#.#/3071 by access-group "LAN-DMZ_access_in" [0xe0362917, 0x0]
0 Emergency _grokparsefailure_sysloginput 2017-09-12T15:03:11.618-05:00
View: Table / JSON / Raw
Field Action Value Search
@timestamp 2017-09-12T20:03:11.618Z
@version 1
_id AV53sDrXjrA6ezG6p3_j
_index logstash-2017.09.12
_type syslog
facility 0
facility_label kernel
host 10.100.#.#
message <164>%ASA-4-106023: Deny udp src LAN-DMZ:172.20.#.#/64603 dst identity:229.111.#.#/3071 by access-group "LAN-DMZ_access_in" [0xe0362917, 0x0]
priority 0
severity 0
severity_label Emergency
tags _grokparsefailure_sysloginput
type syslog
Re: All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 3:27 pm
by mcapra
Just chiming in to say I've seen this behavior before with ASAs. They don't seem to follow
RFC 3164 to the letter. You might try this solution:
https://support.nagios.com/forum/viewto ... 20#p118275
Re: All ASA syslogs are received with Severity 0
Posted: Tue Sep 12, 2017 4:27 pm
by malcolmleek
I didn't see any solutions in that article.
Re: All ASA syslogs are received with Severity 0
Posted: Wed Sep 13, 2017 9:10 am
by tmcdonald
The posted solution was in regards to configuring the terminal to turn off sequence-numbers, or creating different inputs and filters in Log Server. It's the second link posted by
@mcapra.
Re: All ASA syslogs are received with Severity 0
Posted: Wed Sep 13, 2017 9:20 am
by malcolmleek
I not sure I follow you. I clicked on the link posted by @mcapra that took me to a message board titled "All Log Entries on same facility/priority/severity". I read all 5 pages and they never found a solution. If there is one, could you please copy and paste it here?