Hello.
I'm having an issue getting the logs set up the way I would like on an ASA 5515 on 9.6.4
I'm trying to send the syslogs to an Alienvault server for monitoring. However, a few events are quickly consuming our allowed monthly resources.
Stuff like %ASA-4-419002: Duplicate TCP SYN from inside:192.168.x.x/xxxxx to inside:192.168.x.x/xxxxx with different initial sequence number
This is engineering software that nobody understands, including the engineers. This makes me hesitant to think I could resolve this actual issue in a timely manner (I will pursue it later) but for the time being, I would like to keep it out of our logs. There are a few others like this as well. So I would like to just exclude this message from being sent to our syslog server (The Alienvault).
So in the ASDM, I went through the steps, I created a new syslog server, then went to logging filters and created a new one for syslogs filter. Made a new logging list to attach to that which I assumed? was how you can filter out logs you don't want to that host?
In the event list, I think this is where I might be going wrong? I have it set to all/notifications for severity and then put a list of events in the other side. Basicall 100000-419001 and then 419003-999999 (or whatever the max was). This to me means it should exclude 419002 but did I set it up to ONLY grab those notifications i'm trying to skip?
This is how the list actually looks in the console
logging list Syslog-Event-List level notifications logging list Syslog-Event-List message 101001-419001 logging list Syslog-Event-List message 419003-434001 logging list Syslog-Event-List message 434003-746015 logging list Syslog-Event-List message 746017-800000
So again, my goal is to exclude 419002. What am I doing wrong in this situation?
Thank you for any help!! Appreciated!
No comments:
Post a Comment