ASA send syslog messages for configuration changes

Answered Question
Aug 7th, 2012
User Badges:

On a router you can send configuration changes to the syslog server by doing,


conf t

archive

log config

logging enable

notify syslog


Then the router will send something like,


.Aug  3 13:12:00.776 PACIFIC: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:no interface Loopback76


if I had typed at the command line, "no int lo76"


How do you do this on the ASA?



Goal:  I want to know when anybody does any kind of config on my ASA.

Correct Answer by Jennifer Halim about 4 years 10 months ago

The syslog number 111008 and 111010 will log the command that is entered by user.

111010 is for configuration changes.


Here is the syslog for your information:

111008:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400


111010:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410


You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 08/08/2012 - 10:24
User Badges:
  • Cisco Employee,

The syslog number 111008 and 111010 will log the command that is entered by user.

111010 is for configuration changes.


Here is the syslog for your information:

111008:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769400


111010:

http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4769410


You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

Timothy Chan Mon, 08/13/2012 - 10:22
User Badges:

Thanks, here's what I did,


logging list notif-cfg-changes message 111008-111010


logging list notif-cfg-changes level errors



logging trap notif-cfg-changes




I think this means send those specific messages even though they are a higher numbered level (5) than the 'error' level 3.  Then send level 3 messages.


My syslog server gets the 111008 messages.



http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1064820

Actions

This Discussion

Related Content