ASA send syslog messages for configuration changes

Answered Question
Aug 7th, 2012
User Badges:

On a router you can send configuration changes to the syslog server by doing,


conf t

archive

log config

logging enable

notify syslog


Then the router will send something like,


.Aug  3 13:12:00.776 PACIFIC: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:no interface Loopback76


if I had typed at the command line, "no int lo76"


How do you do this on the ASA?



Goal:  I want to know when anybody does any kind of config on my ASA.

Correct Answer by Jennifer Halim about 4 years 7 months ago

The syslog number 111008 and 111010 will log the command that is entered by user.

111010 is for configuration changes.


Here is the syslog for your information:

111008:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400


111010:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410


You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 08/08/2012 - 10:24
User Badges:
  • Cisco Employee,

The syslog number 111008 and 111010 will log the command that is entered by user.

111010 is for configuration changes.


Here is the syslog for your information:

111008:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400


111010:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410


You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

Timothy Chan Mon, 08/13/2012 - 10:22
User Badges:

Thanks, here's what I did,


logging list notif-cfg-changes message 111008-111010


logging list notif-cfg-changes level errors



logging trap notif-cfg-changes




I think this means send those specific messages even though they are a higher numbered level (5) than the 'error' level 3.  Then send level 3 messages.


My syslog server gets the 111008 messages.



http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1064820

Actions

This Discussion

Related Content