ASA send syslog messages for configuration changes

Answered Question
Aug 7th, 2012

On a router you can send configuration changes to the syslog server by doing,

conf t

archive

log config

logging enable

notify syslog

Then the router will send something like,

.Aug  3 13:12:00.776 PACIFIC: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:no interface Loopback76

if I had typed at the command line, "no int lo76"

How do you do this on the ASA?

Goal:  I want to know when anybody does any kind of config on my ASA.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 2 years 10 months ago

The syslog number 111008 and 111010 will log the command that is entered by user.

111010 is for configuration changes.

Here is the syslog for your information:

111008:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400

111010:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410

You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
Jennifer Halim Wed, 08/08/2012 - 10:24

The syslog number 111008 and 111010 will log the command that is entered by user.

111010 is for configuration changes.

Here is the syslog for your information:

111008:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400

111010:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410

You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

mochix5150 Mon, 08/13/2012 - 10:22

Thanks, here's what I did,

logging list notif-cfg-changes message 111008-111010

logging list notif-cfg-changes level errors

logging trap notif-cfg-changes

I think this means send those specific messages even though they are a higher numbered level (5) than the 'error' level 3.  Then send level 3 messages.

My syslog server gets the 111008 messages.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1064820

Actions

Login or Register to take actions

This Discussion

Posted August 7, 2012 at 1:49 PM
Stats:
Replies:2 Overall Rating:5
Views:7412 Votes:0
Shares:0

Related Content