cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9571
Views
0
Helpful
12
Replies

Email alert on asa for successful login to asa

jvalin__s
Level 1
Level 1

Hi guys,

Just wanted to know how to configure the asa with email alerts for successful login to asa using telnet or asdm.

Thanks,

Jvalin

2 Accepted Solutions

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

I don't see logging list assigned to logging mail.

logging mail list NAME_OF_LIST

View solution in original post

12 Replies 12

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Jvalin,

I assume you have everything but logging component configured.

How about creating a logging list of interesting syslogs and sending them?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772936

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773126

Messages indexed:

https://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

maybe:

710002

Marcin

Marcin,

Thanks for the links,I checked all those but still the mails are not working

what I did in ASDM is

1) setup the SMTP server - "internal ip address of ther mail-server"

2)configured "send from email address"

3) configured "send to email address"

4) configured "event-list" --> event-class as auth and severity - alert

                    "event-list --> event-class as config and severity - alert

5)  configured "logging filters and in the email section i gave the event-list as the severity

Any thing else am I forgetting?

Regards,

Jvalin

Jvalin,

Can you rather show the CLI config? No access to ASDM on my side.

-------

show run logg

show run smtp-s (or maybe show run smtp?)

--------

Marcin

I remember an earlier thread that I answered a while ago. It ended up being the e-mail server not accepting e-mails from the firewall's IP address.

Pls. make sure the e-mail server is configured to accept e-mail from the firewall's IP address.

Wireshark capture on the e-mail server will be useful as well.

Just move one of the normal messages like 111008 to level 1 for testing purpose only and issue a "write mem" that should trigger an e-mail to be sent.

loggin message 111008 level 1

Once the test is done you can remove the above line.

-KS

logging enable

logging timestamp

logging list email-for-login level emergencies class auth

logging list email-for-login level emergencies class config

logging list email-for-login message 111008

logging history informational

logging asdm informational

logging recipient-address xxxx@abc.com

level emergencies

logging facility 23

logging debug-trace

logging class auth mail alerts
logging class config mail alerts
logging message 111008 level alerts

Is this ok guys??

Yes that appears correct.  You have the smtp-server configured right?

comand - smtp-server

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1507977

-KS

asa5510# sh run smtp-server

smtp-server 192.168.102.50

asa5510#

I don't see logging list assigned to logging mail.

logging mail list NAME_OF_LIST

logging enable

logging timestamp

logging list email-for-login level alerts class auth

logging list email-for-login level alerts class config

logging list email-for-login message 111008

logging history informational

logging asdm informational

logging mail email-for-login----------------------------------------->>>i gave it afterwards

logging from-address abc@xxx.com

logging recipient-address abc@xxx.com level alerts

logging facility 23

logging debug-trace

logging class auth mail alerts

logging class config mail alerts

logging message 111008 level alerts

Its working now guys Thanks to both of you.

Guys,

By configuring these commands,

I am getting alerts only when anybody configures using ASDM,

but not by command line.

Any ideas greatly appreciated.

Regards,

Jvalin

710002 would the message you're looking forward when someone logs in.  I'd have to dig in a bit more to see what ASDM puts in syslogs. Or you can check it by monitoring logging to other facilities.

Are you looking for these messages?

When you ssh to the unit you see the following:
Jun 06 2010 13:03:07: %ASA-6-605005: Login permitted from 10.117.14.66/56023 to 172-net:172.18.254.34/ssh for user "cisco"
Jun 06 2010 13:03:09: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:03:09: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:03:09: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.

When you telnet to the unit you see the following.

Jun 06 2010 13:04:16: %ASA-6-605005: Login permitted from 192.168.2.2/1308 to inside:192.168.2.1/telnet for user ""
Jun 06 2010 13:04:20: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:04:20: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:04:20: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:04:20: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:04:20: %ASA-5-111008: User 'enable_1' executed the 'enable' command.

Both ssh and telnet log the same syslog messages. Which ever message you are interested in just add them to the mail list.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: