Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to enable Syslogs on ASA

Logging on ASA has  different level, namely:

1. Emergencies        (severity=0)

2. Alert                  (severity=1)

3. Critical               (severity=2)

4. Errors                (severity=3)

5. Warnings           (severity=4)

6. Notifications       (severity=5)

7. Informational       (severity=6)

8. Debugging          (severity=7)

You can use the following command on the ASA to verify the different logging level:

ASA2(config)# logging console ?

configure mode commands/options:

  <0-7>               Enter syslog level (0 - 7)

  WORD             Specify the name of logging list

  alerts                Immediate action needed           (severity=1)

  critical              Critical conditions                      (severity=2)

  debugging         Debugging messages                (severity=7)

  emergencies     System is unusable                   (severity=0)

  errors               Error conditions                         (severity=3)

  informational     Informational messages              (severity=6)

  notifications      Normal but significant conditions (severity=5)

  warnings           Warning conditions                    (severity=4)

The higher the logging level is higher the amount of logs generated by the ASA. So debugging level should only be used for troubleshooting purpose, since it generates a lot of logs and might affect the cpu and memory usage on the ASA.

Initial configuration for enabling logging on ASA:

ASA2(config)# logging enable                        -------------------> Enable logging on ASA

ASA2(config)# logging monitor informational -------------------> If you want to enable logging on the terminal monitor

ASA2(config)# logging buffered informational ------------------> Stores the logs in the logging buffer, it follows FIFO, so old logs would purge once buffer is full.

ASA2(config)# logging timestamp                   -------------------> Important as it enables timestamp with logs

IMP:- If you enable monitor logging, and use the command terminal monitor, all the logs would come onto the terminal monitor, to stop the logging you would need to use "term no mon" really fast.

How to enable logs to be sent on a syslog server:

Lets assume you have setup a syslog server on the inside interface on the ASA, first try pinging the server from ASA, it should be pingable, then on the ASA:

ASA2(config)# logging trap informational

ASA2(config)# logging host inside 10.1.1.1

The first commad decides what level logs needs to be sent to the syslog server and the next command decides, where is the syslog server located in the network.

IMP:-  By default syslogs uses UDP port 514, but you can enable them on TCP ports as well:

ASA2(config)# logging host inside 10.1.1.1 6/1470

By default, if you have enabled logging to a  syslog server that uses a TCP connection, the adaptive security  appliance does not allow new network access sessions when the syslog  server is unavailable for any reason.

To prevent this you need to use the command "logging permit-hostdown".

How to configure Logging to be sent to ASDM:

ASA2(config)# logging asdm informational

How to enable Logging List on ASA:

To create a logging list to use in other commands  to specify messages by various criteria (logging level, event class, and  message IDs), use the

logging list command in global configuration mode.

ASA2(config)# logging list my-list 100100-100110

ASA2(config)# logging list my-list level critical

ASA2(config)# logging list my-list level warning class vpn

ASA2(config)# logging buffered my-list

This logging list would generate logs for messages falling into the syslog id's 100100-100110 with critical level or higher.
It would generate VPN class syslogs of warning level or higher (alert,emergency, critical,error).

How to enable logs to be sent through an E-mail:
ASA2(config)# logging mail critical
ASA2(config)# logging from-address ciscosecurityappliance@example.com
ASA2(config)# logging recipient-address admin@example.com
ASA2(config)# smtp-server pri-smtp-host sec-smtp-host

How to suppress a particular Syslog message:

no logging message <start syslog id> <end syslog id>
no logging message 106013 106015

How to change the severity level of a particular syslog message:

logging message 106015 critical

How to Send debugs to a Syslog server:

You can send the debugs from the ASA to a syslog server as well and for that you would need to enable the following command:

ASA2(config)# logging debug-trace

It redirects the debugs as syslog message 711001 of severity level 7.



Document for Syslog messages:


http://www.cisco.com/en/US/customer/docs/security/asa/asa82/system/message/logsevp.html

Command Reference for logging on ASA:


http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/l2.html



Comments
Hall of Fame Super Silver

Nice document, Varun. Thanks.

Red

Hey Thanks Marvin , please feel free to add any piece of information if you would like to.

New Member

Nice article Varun.

While designing a massive network design, I was researching through some Cisco docs and recomendations for Syslog.

I read the following line in Cisco ASA All in One 2nd edition.

on Page 114

The default severity level for logging list is 3 (errors).

However as per your statement.

ASA2(config)# logging list my-list 100100-100110

#

ASA2(config)# logging list my-list level critical

#

ASA2(config)# logging list my-list level warning class vpn

#

ASA2(config)# logging buffered my-list

This logging list would generate logs for messages falling into the syslog id's 100100-100110 with critical level or higher.

It would generate VPN class syslogs of warning level or higher (alert,emergency, critical,error).

Shouldnt it be implied that all the messages from 100100-100110 would be sent as Critical along with all the remaining IDs e.g. 100111.     

24541
Views
10
Helpful
3
Comments