Log Retrieval

Log files can be retrieved with the file transfer protocols described in the following table. You set the protocol when you create or edit a log subscription in the GUI, or by using the logconfig command in the CLI.

FTP Poll

With this type of file transfer, a remote FTP client accesses the appliance to retrieve log files by using the user name and passphrase of an administrator-level or operator-level user. When configuring a log subscription to use the FTP poll method, you must supply the maximum number of log files to retain. When the maximum number is reached, the system deletes the oldest file.

FTP Push

With this type of file transfer, the appliance periodically pushes log files to an FTP server on a remote computer. The subscription requires a user name, passphrase, and destination directory on the remote computer. Log files are transferred based on the configured rollover schedule.

SCP Push

With this type of file transfer, the appliance periodically pushes log files to an SCP server on a remote computer. This method requires an SSH SCP server on a remote computer using the SSH2 protocol. The subscription requires a user name, SSH key, and destination directory on the remote computer. Log files are transferred based on the configured rollover schedule.

Syslog Push

With this type of file transfer, the appliance sends log messages to a remote syslog server. This method conforms to RFC 3164. You must submit a hostname for the syslog server and use either UDP or TCP for log transmission. The port used is 514, by default. In AsyncOS 14.1.0, the port number ranges from 1-65535.A facility can be selected for the log; however, a default for the log type is preselected in the drop-down menu. Only text-based logs can be transferred using syslog push.

Enter maximum size of the log message to send to the remote server. [For TCP protocol] The maximum message size value must be an integer from 1024 to 65535 and [For UDP protocol] The maximum message size value must be an integer from 1024 to 9216

Use the TLS option to send log messages from your Cisco Secure Email and Web Manager to the remote syslog server over a TLS connection.

Note

If you select the TLS option, make sure you add a valid client certificate in your Secure Email and Web Manager to establish a TLS connection between your Cisco Secure Email and Web Manager and the remote syslog server.

Syslog Push

Syslog Disk Buffer - [Applicable for TCP protocol only]: Select this check box to configure a local disk buffer for a syslog push log subscription to allow Secure Email and Web Manager to cache log events when the remote syslog server is unavailable. When the syslog server becomes available, the Secure Email and Web Manager begins to send all the data in the buffer for that log subscription to the syslog server.

Note:

  • Ensure that the syslog server is running before starting this procedure to avoid loss of log data.

  • Determine the size of the local disk buffer, allowing enough space to accommodate the maximum expected period of down time for the syslog server. This avoids the loss of log data.

  • If you have a secondary log subscription for local retention, Cisco recommends you cancel the secondary subscription to allow space for the local disk buffer for the primary subscription.

  • The Secure Email and Web Manager may not be able to cache the first several seconds of log data after loss of connection to the syslog server. This is due to characteristics of syslog over TCP.

  • The default syslog disk buffer size is 100MB. The maximum disk buffer size allowed is 1GB. You can enter the size in bytes (1073741824), megabytes(1M), or gigabytes(1G).