HolyGuacamole,
Thanks for the reply.
Following are a few of the MANY Syslog messages received on the ASAs and that I expected to find as LEM Events. (Yes. the ip addresses and acl names have been changed.) However, searching LEM, I was not able to find any Events. I thought that was strange since two separate ASAs had the same syslog messages in their syslogs. Hence, I posted to Thwack.
Feb 26 2015 11:36:00: %ASA-4-410001: Dropped UDP DNS reply from outside:1.1.1.1/53 to dmz:dnsfwd2/59149; packet length 650 bytes exceeds configured limit of 512 bytes
Feb 26 2015 11:36:04: %ASA-4-410001: Dropped UDP DNS reply from outside:2.2.2./53 to dmz:dnsfwd2/59149; packet length 650 bytes exceeds configured limit of 512 bytes
Feb 26 2015 11:36:12: %ASA-4-410001: Dropped UDP DNS reply from outside:1.1.1.1/53 to dmz:dnsfwd2/59415; packet length 530 bytes exceeds configured limit of 512 bytes
Feb 26 2015 11:36:12: %ASA-4-410001: Dropped UDP DNS reply from outside:2.2.2.2/53 to dmz:dnsfwd2/59415; packet length 530 bytes exceeds configured limit of 512 bytes
Please note: updating the DNS inspection policy on the ASAs corrected the issue. So, duplicating it would cause a company wide DNS issue. However, I need to get a better handle on what Syslog messages will generate a LEM Event and which Syslog messages will not generate a LEM Event.
Thank you,
T.J.