https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3710864#M13545 <P>There are several users with administrator role on network devices. sometime configuration change without acknowledgement. I want to know who have been log in and what they have made change.</P> <P>&nbsp;</P> <P>How to monitor this activity on cisco ASA, switch or router?</P> Fri, 21 Feb 2020 16:15:57 GMT _Ratha_ 2020-02-21T16:15:57Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3710864#M13545 <P>There are several users with administrator role on network devices. sometime configuration change without acknowledgement. I want to know who have been log in and what they have made change.</P> <P>&nbsp;</P> <P>How to monitor this activity on cisco ASA, switch or router?</P> Fri, 21 Feb 2020 16:15:57 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3710864#M13545 _Ratha_ 2020-02-21T16:15:57Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3710967#M13546 <P>How is your user authentication setup done, you have ACS or any other mechanism in place for authentication and authorization ?</P> <P>&nbsp;</P> Fri, 21 Sep 2018 07:30:42 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3710967#M13546 balaji.bandi 2018-09-21T07:30:42Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3711015#M13547 <P>As&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286878">@balaji.bandi</a>&nbsp;alluded, an Accounting server (the third "A" in AAA) is the answer. An external RADIUS or TACACS+ server (like Cisco ISE) can keep a log of all actions.</P> <P>&nbsp;</P> <P>You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.</P> <P>&nbsp;</P> <P>logging enable<BR />logging list cmds message 111009</P> <P>logging trap cmds</P> <P>logging host inside x.x.x.x</P> <P>&nbsp;</P> <P>You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.</P> Fri, 21 Sep 2018 09:31:36 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3711015#M13547 Marvin Rhoads 2018-09-21T09:31:36Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3932476#M13548 Hello,<BR />if Informational Logs are being forwarded to an external syslog.. then will message ids 111008-111010 will get auto logged to syslog ? Mon, 30 Sep 2019 13:29:19 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3932476#M13548 NeWGuy1109 2019-09-30T13:29:19Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3932518#M13549 <P>111008 and 111010 are notification (level 5), so yes for those.</P> <P>111009 is debug (level 7), so no for that one.</P> <P>(Unless you override the default severity level)</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_8587071" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_8587071</A></P> Mon, 30 Sep 2019 14:16:17 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3932518#M13549 Marvin Rhoads 2019-09-30T14:16:17Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3933004#M13550 Thanks for the reply..<BR />i am using algosec firewall analyzer and all syslogs from firewalls are being forwarded to it .. i can see the configuration modification (under raw configuration) but the user id is not available .. is there any way the commands being run from a session in ASA can be sent as audit log information ? does asa record user id in raw configuration ? the hide username setting is also disabled. Tue, 01 Oct 2019 10:10:33 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/3933004#M13550 NeWGuy1109 2019-10-01T10:10:33Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/4310294#M1079425 <P>Hello Marvin,</P><P>&nbsp;</P><P>Based on my below logging config , should this send TRAP for Event ID 111008 to my Event Server ( Cisco Security Manager ) ?</P><P>&nbsp;</P><P>Also can you share the Doc where Event ID's are mapped according to Severity</P><P>&nbsp;</P><P>logging enable<BR />logging buffer-size 10000<BR />logging buffered debugging</P><P>&nbsp;</P><P>logging trap debugging<BR />logging asdm informational</P><P>&nbsp;</P><P>logging facility 22</P><P>logging host inside CSM_IP</P><P>logging message 305011 level debugging<BR />logging message 302015 level debugging<BR />logging message 302016 level debugging</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 19 Mar 2021 10:02:41 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/4310294#M1079425 MSJ1 2021-03-19T10:02:41Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/4313347#M1079575 <P>Can you share the Doc where Event ID's are mapped according to Severity</P> Wed, 24 Mar 2021 19:52:27 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/4313347#M1079575 MSJ1 2021-03-24T19:52:27Z https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/4313397#M1079577 <P>below document has this information :</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/messages-listed-by-severity-level.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/messages-listed-by-severity-level.html</A></P> <P>&nbsp;</P> Wed, 24 Mar 2021 20:37:49 GMT https://community.cisco.com/t5/network-security/audit-log-on-cisco-asa-firewall/m-p/4313397#M1079577 balaji.bandi 2021-03-24T20:37:49Z