I think it was ASA 8.3 that began to provide an option to NOT cease functionality when tcp syslog server was unreachable. In ASDM, it is a checkbox at the bottom of the logging servers config section.
Sent from my iPhone On Nov 20, 2011, at 7:43, Joe Happe <[email protected]> wrote: > Completely agree with splunk for log searching / analysis, even has some > ASA/PIX modules. Please note, unless something has changed that I completely > missed, an ASA/PIX will stop forwarding user traffic if it is configured for > tcp syslogs and the connection breaks. (no more disk, network issue, etc) > This is based on the premise that a system cannot be considered secure if the > audit trail is unavailable, and tcp syslogging(vs udp) is usually used to > make sure you don't miss an entry due to a dropped packet. Something that > dates back to the old C2 security standard??(not sure of the current > version). Typically this requires admin intervention (by design) to clear > the condition. If you use udp for syslog the ASA won't be in this mode, and > you won't block traffic if syslog fails. With that said, there may be a > command I'm unaware of that allows a tcp syslog to fail and not block traffic. > > ~jdh >
