2.Cisco ASA Syslog Configuration


The Cisco ASA firewall generates syslog messages for many different events. For example, interfaces going up or down, security alerts, debug information and more. We can configure the ASA to tell it how much and where to store logging information.

Before you configure logging, make sure your clock has been configured.

Let’s take a look at our configuration options.

1.Configuration

First, make sure logging is enabled:

ASA1(config)# logging enable

1.1.Logging to SSH or Telnet

We’ll start by looking at logging on SSH or telnet sessions. Let’s see what level of logging options we have:

ASA1(config)# logging monitor ?

configure mode commands/options:
  <0-7>          Enter syslog level (0 - 7)
  WORD           Specify the name of logging list
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)

The logging monitor command configures the level of logging that we want to use. For example, when you select debugging (level 7) then it will log all lower levels as well. If you select “errors” then it will only log level 3,2,1 and 0. We will select debugging so that we can see debug messages on our telnet or SSH session:

ASA1(config)# logging monitor debugging

The logging level has been configured but we still need to enable logging, here’s how:

ASA1(config)# terminal monitor

This enables logging up to the debug level on your telnet or SSH session. Let’s continue with another example…

1.2.Logging to Internal Buffer

The ASA has an internal buffer that we can use for syslog messages. By default it’s enabled so let’s enable it:

ASA1(config)# logging buffered warnings

This will log all syslog messages with level “warnings” or lower to the internal buffer. We can also configure the size of the internal buffer:

ASA1(config)# logging buffer-size 8192

By default it’s only 4KB, I changed it to 8KB with the logging buffer-size command. Let’s see if we can find some syslog information in our internal buffer. Here’s an example how we can test it:

ASA1(config)# interface E0/0
ASA1(config-if)# shutdown
ASA1(config-if)# no shutdown

Shutting an interface is something that will be logged. Now use the show logging command to view the log:

ASA1# show logging 
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: level debugging, 32 messages logged
    Buffer logging: level warnings, 3 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled
%ASA-4-411003: Interface Ethernet0/1, changed state to administratively down
%ASA-4-411001: Line protocol on Interface Ethernet0/1, changed state to up

You can see the logging settings but also two entries at the bottom…the interface going down and up. Let’s try something else now…

1.3.Logging to console

We can log syslog messages to the console like this:

ASA1(config)# logging console warnings

This will log all syslog messsages with level “warnings” or lower to the console. Keep in mind that the console is only running at 9600 bps so it’s easy to overburden it with logging messages. If there are too many logging messages then it will be rate-limited and even dropped if the console can’t handle it.

1.4.Logging to e-mail

We can also send syslog messages directly to e-mail, here’s an example:

ASA1(config)# logging mail alerts
ASA1(config)# logging from-address asa@networklessons.com
ASA1(config)# logging recipient-address info@networklessons.com
ASA1(config)# smtp-server 192.168.1.1

This will send all syslog messages with level “alerts” or lower to an e-mail address. Don’t forget to configure a SMTP server.

1.5.Logging to ASDM

We can also log to ASDM where you can see the syslog messages in the dashboard. Here’s how to enable it:

ASA1(config)# logging asdm debugging

This is how we can send all syslog messages to ASDM. Once you login, you can see the syslog messages at the bottom:

Cisco ASDM Syslog Dashboard

Above you can see the syslog messages in ASDM.

1.6.Logging to Syslog Server

A good choice is to send syslog messages to a syslog server. Here’s how to do it:

ASA1(config)# logging host INSIDE 192.168.1.3
ASA1(config)# logging trap alerts

You need to configure the host and the level of syslog messages. Here’s what it looks like on a syslog server:

Cisco ASA Syslog Host

Above you see some incoming messages on my syslog server.

1.7.Logging to SNMP server

Last but not least, we can send syslog messages as SNMP traps to a SNMP server. Here’s how:

ASA1(config)# snmp-server host INSIDE 192.168.1.1 trap community MY_COMMUNITY
ASA1(config)# snmp-server enable traps syslog
ASA1(config)# logging history notifications

First we configure the SNMP server and the community and then we tell the ASA to send syslog messages using SNMP traps. The logging history commands sets the syslog level.

That’s all there is, I hope this lesson has been useful

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more