Solved: ASA syslog configuration

mufcred16 · ‎10-14-2013

Hi,

When I connect to the ASA 5510 via ssh session I do not see the following in syslogs

Jun 06 2010 13:03:07: %ASA-6-605005: Login permitted from 10.117.14.66/56023 to 172-net:172.18.254.34/ssh for user "cisco"
Jun 06 2010 13:03:09: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:03:09: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco

All I am seeing once the privelige level is changed is

Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:03:09: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.

And when the session is finished the User logged off.

Please what is required to see the login requests in syslog?

My ASA config is :

logging enabled

logging standby

logging monitor debugging

logging trap notifications

logging asdm informational.

<Many thanks

Colin

Jouni Forss · ‎10-14-2013

Hi,

You are issuing in the wrong mode

Issue this first

configure terminal

So it shows

ASA-5512(config)#

Then issue the commands

logging message 605005 level notifications

logging message 113012 level notifications

logging message 113008 level notifications

logging message 611101 level notifications

The above messages change those message IDs logging Level from their default Level to Notifications Level. And since your "trap" configurations is set to use Notifications this will mean that these messages should start to get logged to your server.

I mentioned the Informational logging level first since its one option. The problem with setting that logging level globally is that your Syslog server would start to get A LOT more logs depending on the amount of connections formed through your firewall.

Using the above commands that change the logging level of the 4 Syslog message IDs is the smallest change to achieve what you want.

- Jouni

View solution in original post

Jouni Forss · ‎10-14-2013

Hi,

All the messages mentioned in the upper section of your post are Level 6 = Informational

Your Syslog Server "trap" has been set to Level 5 = Notifications

So your options could be to change

logging trap informational

Though this would generate a lot of extra logs

You can also change the logging level of the above messages to Level 5 = Notifications with

logging message 605005 level notifications

logging message 113012 level notifications

logging message 113008 level notifications

logging message 611101 level notifications

Which would essentially start sending these to your Syslog Server without changing anything else with regards to logging.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

mufcred16 · ‎10-14-2013

Hi Jouni,

Thanks for the response. I have tried the following but get an error when trying to make the change.

login as: xxxxxx

xxxxx password:

Type help or '?' for a list of available commands.

ASA-5512> en

Password: *******

ASA-5512# logging message 113012 level notifications

^

ERROR: % Invalid input detected at '^' marker.

ASA-5512#

One question though should these messages be notifications or informational? as you said the messages at the start of the post were informational?

Do I have to be in a different mode to set these loggings?

Thanks

Colin

Jouni Forss · ‎10-14-2013

Hi,

You are issuing in the wrong mode

Issue this first

configure terminal

So it shows

ASA-5512(config)#

Then issue the commands

logging message 605005 level notifications

logging message 113012 level notifications

logging message 113008 level notifications

logging message 611101 level notifications

The above messages change those message IDs logging Level from their default Level to Notifications Level. And since your "trap" configurations is set to use Notifications this will mean that these messages should start to get logged to your server.

I mentioned the Informational logging level first since its one option. The problem with setting that logging level globally is that your Syslog server would start to get A LOT more logs depending on the amount of connections formed through your firewall.

Using the above commands that change the logging level of the 4 Syslog message IDs is the smallest change to achieve what you want.

- Jouni

mufcred16 · ‎10-14-2013

Thanks Journi.

All now working as expected. Thansk for the quick response.