cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5592
Views
4
Helpful
16
Replies

Syslog configuration for ips

cisco__kaushik
Level 4
Level 4

Is it possible to configure ips to send messages to syslog server .If yes then request you to share the steps

1 Accepted Solution

Accepted Solutions

acharyr123
Level 3
Level 3

Yes..its possible to configure ips to send syslog msgs to syslog server.

configure the command:

logging enable

logging timestamp

logging asdm informational

logging device-id ipaddress inside

logging host inside 192.168.3.10

logging debug-trace

1st & 5th command rom top-bottom are required. rest depends upon your requirement of capturing packets into syslog server. all these commands get inserted automatically if you configure syslog from device manager.

rate if it helps..

View solution in original post

16 Replies 16

acharyr123
Level 3
Level 3

Yes..its possible to configure ips to send syslog msgs to syslog server.

configure the command:

logging enable

logging timestamp

logging asdm informational

logging device-id ipaddress inside

logging host inside 192.168.3.10

logging debug-trace

1st & 5th command rom top-bottom are required. rest depends upon your requirement of capturing packets into syslog server. all these commands get inserted automatically if you configure syslog from device manager.

rate if it helps..

So this works for the asa-ssm?

Hello. I have the following configured in my ASA 5520 (v7.0, with AIP-SSM20):

logging enable

logging timestamp

logging asdm informational

logging device-id hostname

logging host INSIDE

logging host INSIDE

logging debug-trace

No IPS events (and there are many) are received by the syslog server, but many ASA log messages are, so I know the log server is receiving from the ASA. Is it a version issue? Other suggestions? Thanks.

Hi!!

I do have ASA with version 7.2 (1) with the same configuration. It is working fine.

I am not very sure whether the issue is with 7.0 or not..U can give a try with 7.2

Config should look like this:

logging enable

logging timestamp

logging asdm informational

logging device-id ipaddress inside

logging host inside 192.168.3.10

logging debug-trace

your 4th line looks bit different..could u plz check the same!!!!

Plz rate if it helps

mhellman
Level 7
Level 7

For ASA, you've already got your response. For IPS sensor appliances, the answer is no.

HI

IN IPS logging enable is not work. so I think syslog is not support in IPS.

Thanks

Biplob

In IPS appliance syslos is not being supported. But in AIP-SSM it can be configured. We have one site where it is being configured & working fine.

Please rate if it helps.

Hi

So Have any procedure to tracl the log like user access in IPS.

If I enable Trap destination then get any feedback in trap server ???

Thanks

Biplob

u mean to say user trying to access IPS sensor???? do u want that very log???

HI

You are absolute right. I want that.

Thanks

Biplob

NO you cannot send IPS logs to syslog server

IPS only allows you to extract events or traffic in PCAP format

Hi acharyr123,

I've a ASA5510-K8 with SSM-10, I've the following configure and show output:

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging device-id ipaddress inside

logging host inside syslog_IPadd

logging debug-trace

!

!

xxxfw# show log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level notifications, facility 20, 7765726 messages logged

Logging to inside syslog_IPadd errors: 157 dropped: 1869

History logging: disabled

Device ID: 'inside' interface IP address "ipadd"

Mail logging: disabled

ASDM logging: level informational, 7766816 messages logged

xxxfw#

!

!

xxxfw# show module

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

0 ASA 5510 Adaptive Security Appliance ASA5510-K8 JMX1044K1F1

1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF10342417

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 000a.b89c.c6e0 to 000a.b89c.c6e4 1.1 1.0(11)2 7.2(1)

1 000a.b89c.c932 to 000a.b89c.c932 1.0 1.0(11)2 6.0(3)E1

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 IPS Up 6.0(3)E1

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

1 Up Up

xxxfw#

!

!

!

but the syslog server only receive events in term of ASA, but not SSM-10 IPS events, you've mentioned it works in your site, is there anything else i should look into?

Thanks and appreciate if I could find the answer here, been bugging me for quite some times.

well I am just trying to save your time..the answer is NO..

Well there is no way to point the clear text log files to a logging server from IPS/SSM

module as the SSM need SDEE communication to extract the files

and would export the files in XML format

There is IP logging command which would only allow to capture packet in binary format or

else you may use event tab to collect the events on IPS

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide

/dmmntr.htm#wp1039901

Therefore you may either use Cisco Mars/CSM if you need extensive logging or else you may

install IEV

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev

HTH !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: