12-23-2007 08:29 AM - edited 03-10-2019 03:55 AM
Is it possible to configure ips to send messages to syslog server .If yes then request you to share the steps
Solved! Go to Solution.
12-24-2007 02:37 AM
Yes..its possible to configure ips to send syslog msgs to syslog server.
configure the command:
logging enable
logging timestamp
logging asdm informational
logging device-id ipaddress inside
logging host inside 192.168.3.10
logging debug-trace
1st & 5th command rom top-bottom are required. rest depends upon your requirement of capturing packets into syslog server. all these commands get inserted automatically if you configure syslog from device manager.
rate if it helps..
12-24-2007 02:37 AM
Yes..its possible to configure ips to send syslog msgs to syslog server.
configure the command:
logging enable
logging timestamp
logging asdm informational
logging device-id ipaddress inside
logging host inside 192.168.3.10
logging debug-trace
1st & 5th command rom top-bottom are required. rest depends upon your requirement of capturing packets into syslog server. all these commands get inserted automatically if you configure syslog from device manager.
rate if it helps..
01-05-2008 05:35 PM
So this works for the asa-ssm?
02-05-2008 12:10 PM
Hello. I have the following configured in my ASA 5520 (v7.0, with AIP-SSM20):
logging enable
logging timestamp
logging asdm informational
logging device-id hostname
logging host INSIDE
logging host INSIDE
logging debug-trace
No IPS events (and there are many) are received by the syslog server, but many ASA log messages are, so I know the log server is receiving from the ASA. Is it a version issue? Other suggestions? Thanks.
02-06-2008 08:51 PM
Hi!!
I do have ASA with version 7.2 (1) with the same configuration. It is working fine.
I am not very sure whether the issue is with 7.0 or not..U can give a try with 7.2
02-06-2008 08:55 PM
Config should look like this:
logging enable
logging timestamp
logging asdm informational
logging device-id ipaddress inside
logging host inside 192.168.3.10
logging debug-trace
your 4th line looks bit different..could u plz check the same!!!!
Plz rate if it helps
12-26-2007 07:18 AM
For ASA, you've already got your response. For IPS sensor appliances, the answer is no.
01-07-2008 10:59 PM
HI
IN IPS logging enable is not work. so I think syslog is not support in IPS.
Thanks
Biplob
01-07-2008 11:09 PM
In IPS appliance syslos is not being supported. But in AIP-SSM it can be configured. We have one site where it is being configured & working fine.
Please rate if it helps.
01-07-2008 11:24 PM
Hi
So Have any procedure to tracl the log like user access in IPS.
If I enable Trap destination then get any feedback in trap server ???
Thanks
Biplob
01-08-2008 03:36 AM
u mean to say user trying to access IPS sensor???? do u want that very log???
01-08-2008 10:38 PM
HI
You are absolute right. I want that.
Thanks
Biplob
02-14-2008 10:12 AM
NO you cannot send IPS logs to syslog server
IPS only allows you to extract events or traffic in PCAP format
03-21-2008 07:44 AM
Hi acharyr123,
I've a ASA5510-K8 with SSM-10, I've the following configure and show output:
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging device-id ipaddress inside
logging host inside syslog_IPadd
logging debug-trace
!
!
xxxfw# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level notifications, facility 20, 7765726 messages logged
Logging to inside syslog_IPadd errors: 157 dropped: 1869
History logging: disabled
Device ID: 'inside' interface IP address "ipadd"
Mail logging: disabled
ASDM logging: level informational, 7766816 messages logged
xxxfw#
!
!
xxxfw# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510-K8 JMX1044K1F1
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF10342417
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 000a.b89c.c6e0 to 000a.b89c.c6e4 1.1 1.0(11)2 7.2(1)
1 000a.b89c.c932 to 000a.b89c.c932 1.0 1.0(11)2 6.0(3)E1
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.0(3)E1
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
xxxfw#
!
!
!
but the syslog server only receive events in term of ASA, but not SSM-10 IPS events, you've mentioned it works in your site, is there anything else i should look into?
Thanks and appreciate if I could find the answer here, been bugging me for quite some times.
03-21-2008 12:08 PM
well I am just trying to save your time..the answer is NO..
Well there is no way to point the clear text log files to a logging server from IPS/SSM
module as the SSM need SDEE communication to extract the files
and would export the files in XML format
There is IP logging command which would only allow to capture packet in binary format or
else you may use event tab to collect the events on IPS
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide
/dmmntr.htm#wp1039901
Therefore you may either use Cisco Mars/CSM if you need extensive logging or else you may
install IEV
http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev
HTH !!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: