cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5783
Views
0
Helpful
2
Replies

ASA Syslog config question

smjaggers
Level 1
Level 1

Hello All,

I can't seem to get ASA authentication request, or config changes alerts to be forwarded to our syslog server.  I'm able to see all normal ASA messages, blocked messages, VPN authenications, etc, but if I fail a login, or make config changes it does not show up in our syslog server.  Here is the logging config:

logging enable
logging timestamp
logging list Failover level errors class ha
logging buffered informational
logging trap informational
logging asdm informational
logging from-address reports@company.com
logging recipient-address sjaggers@company.com level critical
logging device-id hostname
logging host inside NAC-Syslog

logging class auth console notifications trap informational asdm notifications
logging class config console notifications trap informational asdm notifications

I've turned up every level I could think of to informational, done multiple google searches and I am at a loss.  This is something we have to show for compliance, and is one of my last open issues so any help is greatly appreciated

Thanks,

Shawn

1 Accepted Solution

Accepted Solutions

scbrinke
Cisco Employee
Cisco Employee

Hi Shawn,

Your configuration looks correct to be sending the syslogs.  I ran a few quick tests here and these are the specific syslogs you should be on the lookout for.

Configuration Changes

===================

%ASA-5-111008: User 'enable_15' executed the 'class-map test' command.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769400

This notification level syslog will be issued whenever someone issues a command on the ASA.  Note that if you are logging in and then using the enable command the username will always show up as enable_15.  Users must use the "login" command and authenticate again to retain their username.

Failed Logins

====================

%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = scott
%ASA-6-611102: User authentication failed: Uname: scott
%ASA-6-611102: User authentication failed: Uname: scott

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576

611102 identifies when an authentication for connections to the ASA fails.

I hope this helps in tracking down those syslogs.

-Scott

View solution in original post

2 Replies 2

scbrinke
Cisco Employee
Cisco Employee

Hi Shawn,

Your configuration looks correct to be sending the syslogs.  I ran a few quick tests here and these are the specific syslogs you should be on the lookout for.

Configuration Changes

===================

%ASA-5-111008: User 'enable_15' executed the 'class-map test' command.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769400

This notification level syslog will be issued whenever someone issues a command on the ASA.  Note that if you are logging in and then using the enable command the username will always show up as enable_15.  Users must use the "login" command and authenticate again to retain their username.

Failed Logins

====================

%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = scott
%ASA-6-611102: User authentication failed: Uname: scott
%ASA-6-611102: User authentication failed: Uname: scott

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576

611102 identifies when an authentication for connections to the ASA fails.

I hope this helps in tracking down those syslogs.

-Scott

Thanks!  I guess I wasn't formatting my queries to the syslog server right, our solution is not the most user friendly.  I was able to find each of the classes I needed, starting with the 111008 message you specified below.  Thanks for the help.

Shawn

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: