Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Email alert on asa for successful login to asa

Hi guys,

Just wanted to know how to configure the asa with email alerts for successful login to asa using telnet or asdm.

Thanks,

Jvalin

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Email alert on asa for successful login to asa

Jvalin,

I assume you have everything but logging component configured.

How about creating a logging list of interesting syslogs and sending them?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772936

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773126

Messages indexed:

https://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

maybe:

710002

Marcin

Cisco Employee

Re: Email alert on asa for successful login to asa

I don't see logging list assigned to logging mail.

logging mail list NAME_OF_LIST

12 REPLIES
Cisco Employee

Re: Email alert on asa for successful login to asa

Jvalin,

I assume you have everything but logging component configured.

How about creating a logging list of interesting syslogs and sending them?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772936

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773126

Messages indexed:

https://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

maybe:

710002

Marcin

Community Member

Re: Email alert on asa for successful login to asa

Marcin,

Thanks for the links,I checked all those but still the mails are not working

what I did in ASDM is

1) setup the SMTP server - "internal ip address of ther mail-server"

2)configured "send from email address"

3) configured "send to email address"

4) configured "event-list" --> event-class as auth and severity - alert

                    "event-list --> event-class as config and severity - alert

5)  configured "logging filters and in the email section i gave the event-list as the severity

Any thing else am I forgetting?

Regards,

Jvalin

Cisco Employee

Re: Email alert on asa for successful login to asa

Jvalin,

Can you rather show the CLI config? No access to ASDM on my side.

-------

show run logg

show run smtp-s (or maybe show run smtp?)

--------

Marcin

Cisco Employee

Re: Email alert on asa for successful login to asa

I remember an earlier thread that I answered a while ago. It ended up being the e-mail server not accepting e-mails from the firewall's IP address.

Pls. make sure the e-mail server is configured to accept e-mail from the firewall's IP address.

Wireshark capture on the e-mail server will be useful as well.

Just move one of the normal messages like 111008 to level 1 for testing purpose only and issue a "write mem" that should trigger an e-mail to be sent.

loggin message 111008 level 1

Once the test is done you can remove the above line.

-KS

Community Member

Re: Email alert on asa for successful login to asa

logging enable

logging timestamp

logging list email-for-login level emergencies class auth

logging list email-for-login level emergencies class config

logging list email-for-login message 111008

logging history informational

logging asdm informational

logging recipient-address xxxx@abc.com

level emergencies

logging facility 23

logging debug-trace

logging class auth mail alerts
logging class config mail alerts
logging message 111008 level alerts

Is this ok guys??

Cisco Employee

Re: Email alert on asa for successful login to asa

Yes that appears correct.  You have the smtp-server configured right?

comand - smtp-server

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1507977

-KS

Community Member

Re: Email alert on asa for successful login to asa

asa5510# sh run smtp-server

smtp-server 192.168.102.50

asa5510#
Cisco Employee

Re: Email alert on asa for successful login to asa

I don't see logging list assigned to logging mail.

logging mail list NAME_OF_LIST

Community Member

Re: Email alert on asa for successful login to asa

logging enable

logging timestamp

logging list email-for-login level alerts class auth

logging list email-for-login level alerts class config

logging list email-for-login message 111008

logging history informational

logging asdm informational

logging mail email-for-login----------------------------------------->>>i gave it afterwards

logging from-address abc@xxx.com

logging recipient-address abc@xxx.com level alerts

logging facility 23

logging debug-trace

logging class auth mail alerts

logging class config mail alerts

logging message 111008 level alerts

Its working now guys Thanks to both of you.

Community Member

Re: Email alert on asa for successful login to asa

Guys,

By configuring these commands,

I am getting alerts only when anybody configures using ASDM,

but not by command line.

Any ideas greatly appreciated.

Regards,

Jvalin

Cisco Employee

Re: Email alert on asa for successful login to asa

710002 would the message you're looking forward when someone logs in.  I'd have to dig in a bit more to see what ASDM puts in syslogs. Or you can check it by monitoring logging to other facilities.

Cisco Employee

Re: Email alert on asa for successful login to asa

Are you looking for these messages?

When you ssh to the unit you see the following:
Jun 06 2010 13:03:07: %ASA-6-605005: Login permitted from 10.117.14.66/56023 to 172-net:172.18.254.34/ssh for user "cisco"
Jun 06 2010 13:03:09: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:03:09: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:03:09: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.

When you telnet to the unit you see the following.

Jun 06 2010 13:04:16: %ASA-6-605005: Login permitted from 192.168.2.2/1308 to inside:192.168.2.1/telnet for user ""
Jun 06 2010 13:04:20: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:04:20: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:04:20: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:04:20: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:04:20: %ASA-5-111008: User 'enable_1' executed the 'enable' command.

Both ssh and telnet log the same syslog messages. Which ever message you are interested in just add them to the mail list.

-KS

3584
Views
0
Helpful
12
Replies
CreatePlease to create content