Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Syslog configuration for ips

Is it possible to configure ips to send messages to syslog server .If yes then request you to share the steps

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Syslog configuration for ips

Yes..its possible to configure ips to send syslog msgs to syslog server.

configure the command:

logging enable

logging timestamp

logging asdm informational

logging device-id ipaddress inside

logging host inside 192.168.3.10

logging debug-trace

1st & 5th command rom top-bottom are required. rest depends upon your requirement of capturing packets into syslog server. all these commands get inserted automatically if you configure syslog from device manager.

rate if it helps..

16 REPLIES
New Member

Re: Syslog configuration for ips

Yes..its possible to configure ips to send syslog msgs to syslog server.

configure the command:

logging enable

logging timestamp

logging asdm informational

logging device-id ipaddress inside

logging host inside 192.168.3.10

logging debug-trace

1st & 5th command rom top-bottom are required. rest depends upon your requirement of capturing packets into syslog server. all these commands get inserted automatically if you configure syslog from device manager.

rate if it helps..

New Member

Re: Syslog configuration for ips

So this works for the asa-ssm?

New Member

Re: Syslog configuration for ips

Hello. I have the following configured in my ASA 5520 (v7.0, with AIP-SSM20):

logging enable

logging timestamp

logging asdm informational

logging device-id hostname

logging host INSIDE

logging host INSIDE

logging debug-trace

No IPS events (and there are many) are received by the syslog server, but many ASA log messages are, so I know the log server is receiving from the ASA. Is it a version issue? Other suggestions? Thanks.

New Member

Re: Syslog configuration for ips

Hi!!

I do have ASA with version 7.2 (1) with the same configuration. It is working fine.

I am not very sure whether the issue is with 7.0 or not..U can give a try with 7.2

New Member

Re: Syslog configuration for ips

Config should look like this:

logging enable

logging timestamp

logging asdm informational

logging device-id ipaddress inside

logging host inside 192.168.3.10

logging debug-trace

your 4th line looks bit different..could u plz check the same!!!!

Plz rate if it helps

Gold

Re: Syslog configuration for ips

For ASA, you've already got your response. For IPS sensor appliances, the answer is no.

New Member

Re: Syslog configuration for ips

HI

IN IPS logging enable is not work. so I think syslog is not support in IPS.

Thanks

Biplob

New Member

Re: Syslog configuration for ips

In IPS appliance syslos is not being supported. But in AIP-SSM it can be configured. We have one site where it is being configured & working fine.

Please rate if it helps.

New Member

Re: Syslog configuration for ips

Hi

So Have any procedure to tracl the log like user access in IPS.

If I enable Trap destination then get any feedback in trap server ???

Thanks

Biplob

New Member

Re: Syslog configuration for ips

u mean to say user trying to access IPS sensor???? do u want that very log???

New Member

Re: Syslog configuration for ips

HI

You are absolute right. I want that.

Thanks

Biplob

Cisco Employee

Re: Syslog configuration for ips

NO you cannot send IPS logs to syslog server

IPS only allows you to extract events or traffic in PCAP format

New Member

Re: Syslog configuration for ips

Hi acharyr123,

I've a ASA5510-K8 with SSM-10, I've the following configure and show output:

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging device-id ipaddress inside

logging host inside syslog_IPadd

logging debug-trace

!

!

xxxfw# show log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level notifications, facility 20, 7765726 messages logged

Logging to inside syslog_IPadd errors: 157 dropped: 1869

History logging: disabled

Device ID: 'inside' interface IP address "ipadd"

Mail logging: disabled

ASDM logging: level informational, 7766816 messages logged

xxxfw#

!

!

xxxfw# show module

Mod Card Type Model Serial No.

--- -------------------------------------------- ------------------ -----------

0 ASA 5510 Adaptive Security Appliance ASA5510-K8 JMX1044K1F1

1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF10342417

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 000a.b89c.c6e0 to 000a.b89c.c6e4 1.1 1.0(11)2 7.2(1)

1 000a.b89c.c932 to 000a.b89c.c932 1.0 1.0(11)2 6.0(3)E1

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

1 IPS Up 6.0(3)E1

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

1 Up Up

xxxfw#

!

!

!

but the syslog server only receive events in term of ASA, but not SSM-10 IPS events, you've mentioned it works in your site, is there anything else i should look into?

Thanks and appreciate if I could find the answer here, been bugging me for quite some times.

Cisco Employee

Re: Syslog configuration for ips

well I am just trying to save your time..the answer is NO..

Well there is no way to point the clear text log files to a logging server from IPS/SSM

module as the SSM need SDEE communication to extract the files

and would export the files in XML format

There is IP logging command which would only allow to capture packet in binary format or

else you may use event tab to collect the events on IPS

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide

/dmmntr.htm#wp1039901

Therefore you may either use Cisco Mars/CSM if you need extensive logging or else you may

install IEV

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev

HTH !!

New Member

Re: Syslog configuration for ips

Also, you could use an older version of CiscoWorks2000/VMS to store logs and run reports. It also gives you the use of Security Monitor, which MARS does not provide.

New Member

Re: Syslog configuration for ips

Hi,

I am having a VMS. If I configure the SNMP configuration of IPS - then is it possible to get the CPU/Process utilization report from VMS for that IPS.

Another thing is that - If I allow the Traps in the IPS - is it possible to get the IPS Access logs (user who logs to the IPS) from the VMS.

Regards

Adnan

1039
Views
4
Helpful
16
Replies
CreatePlease to create content