Creating custom event lists to be sent to syslog server (ASA 5520)

Unanswered Question
Feb 19th, 2008
User Badges:

Hi, I'm hoping this is possible. I need to set the syslog ID of 106023 to error level (currently warning) only for about a dozen IP addresses only (as it generates millions of logs) can I do this, I can't see a way?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jamesgonzo Tue, 02/19/2008 - 07:44
User Badges:

It's all or nothing then?


I want to basically send alerts to my syslog server when my DMZ web servers (on my ASA) have denied access to Internet users attempting to hack. 106023 ID shows this.

abinjola Tue, 02/19/2008 - 08:04
User Badges:
  • Cisco Employee,

you can't lower the log level to a specific message ID for few IPs..though you may filter it on KIWI log server

jamesgonzo Tue, 02/19/2008 - 08:06
User Badges:

I want to basically send alerts to my syslog server when my DMZ web servers (on my ASA) have denied access to Internet users attempting to hack. 106023 ID shows this.


106023 creates to many alerts on it's own for my database I think it will fill up fast. What a shame.

abinjola Tue, 02/19/2008 - 08:12
User Badges:
  • Cisco Employee,

do you want to report all the traffic for 106023 to KIWI..well thats possible, however as whitefor asked, you can't point logs for this message ID for few IPS...either its all traffic or none at all

jamesgonzo Tue, 02/19/2008 - 08:33
User Badges:

Unless it's possible to create an access rule which includes my external web server IP range and if any thing is denied/triggered then log it to critical?

Actions

This Discussion