topic Hi, in Network Security

Cisco ASA Logging behaviour "logging class"

roesch4alc — Tue, 12 Mar 2019 08:22:42 GMT

Hi all,

can somebody explain to me, what the exact behaviour of logging class is? In some cases, I need to log e.g. vpn related debugs to the terminal session. But I need only this kind of debugs. So the question is, if the logging class command specifies what kind of debuglevel of the specified class is displayed in the terminal or will my terminal be restricted to only show the configured classes and no other syslog messages?

Example:

If I am using this commands. What will it exactly do?

logging class vpn monitor 7

logging class vpnc monitor 7

Are these commands working for their own or do I need to add the logging monitor debug command?

Best Regards

Sebastian

Sebastian,

Pulkit Saxena — Tue, 11 Oct 2016 14:00:25 GMT

Sebastian,

Logging class helps you to segregate the logs on basis of some pre-defined classes.

Yes when you configure a particular class to terminal, only log related to that will be seen.

You would be needing "logging monitor debugging" command.

You can find complete details at the following link :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/l2.html#pgfId-1793205

For example :

logging class vpn buffered debugging //to log to the buffer
logging class vpn trap debugging //to log to a syslog server
logging class vpnc buffered debugging //logging for vpn client activities

Pulkit

Please rate helpful posts.

Hi Pulkit,

roesch4alc — Thu, 13 Oct 2016 13:20:41 GMT

Hi Pulkit,

I made some tests and I must disagree to most of your statements. I was testing on an ASA 5510 with ASA Software version 9.1(7)9.

So this everything I configured regarding logging:

logging enable
logging asdm debugging
logging class vpn monitor debugging
logging class vpnc monitor debugging

Now, up to your statement, I should only see vpn related debugs in the ssh/telnet session.... But I can also issue a "debug arp" or "debug nat" and I even see this type of debug messages... So thats not working as expected I think?!

Furthermore I don´t need to add "logging monitor debugging". The debug logs will be displayed immediately after I start a debugging, with a "debug arp".

A "sh logging" displays:

" Monitor logging: disabled"

So in the moment I am not able to limit the debug output to certain facilities and do not really understand the logging class feature...

Any ideas?

Regards

Sebastian

Sebastian,

Pulkit Saxena — Thu, 13 Oct 2016 13:46:30 GMT

Sebastian,

That seems a little weird, could you please share the output of "show run all logging" and only that part of "show logging" before logs start.

Regards,

Pulkit

Hi,

roesch4alc — Thu, 13 Oct 2016 14:01:05 GMT

Hi,

of course:

show run all logging
logging enable
logging hide username
logging buffer-size 4096
logging asdm-buffer-size 100
logging asdm debugging
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging class vpn monitor debugging
logging class vpnc monitor debugging
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001

Sebastian,

Pulkit Saxena — Thu, 13 Oct 2016 14:04:45 GMT

Sebastian,

I did a quick check on my lab ASA :

Configuration i applied :

====

logging enable
logging buffer-size 44444
logging class vpn buffered debugging monitor debugging

====

The output of "show logging" shows as expected :

====

ciscoasa(config)# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: class vpn, 0 messages logged
Buffer logging: class vpn, 0 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled

====

Please try and that let me know if we get he required results.

Pulkit

Hi,

roesch4alc — Thu, 13 Oct 2016 14:31:25 GMT

Hi,

this is the output from my asa:

ciscoasa# sh run logging
logging enable
logging asdm debugging
logging class vpn buffered debugging monitor debugging

ciscoasa# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: class vpn, 82 messages logged
Buffer logging: class vpn, 0 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level debugging, 103670 messages logged

That´s fine so far. Did I understand you right, that I should only see vpn related messages in any telnet or ssh session with this config ?

What happens with your system, when you issue and "debug arp" in the ssh/telnet session for example? If I do that, I see all the debug messages, coming from debug arp....

EDIT: Of course you should choose a type of debug, that generates at least some kind of output.... 😉 But "debug arp" should normally do that...

Regards

Sebastian

Sebastian,

Pulkit Saxena — Thu, 13 Oct 2016 14:54:54 GMT

Sebastian,

Glad that it worked correctly and yes i checked on my system regarding "debug arp".

No matter what change i made, the debug messages still came on the terminal. I think it is a default behavior, to ensure that critical debugs are turned off if not required, as i even tried disabling logging but was still able to see the debug messages.

I will try to look further into it tomorrow and will update you if possible.

However, I hope your main query was answered.

Pulkit

Please rate helpful posts.

Hi,

roesch4alc — Fri, 14 Oct 2016 09:12:35 GMT

Hi,

at first, thanks for your help.

But I don´t think it is working correctly, it is displaying messages, it shouldn´t ?! One of your first statements was:

Yes when you configure a particular class to terminal, only log related to that will be seen.

It doesn´t apply to this behaviour, what we can see in reality. So the question is, do we have a bug or where is the problem here?! A "debug arp" shouldn´t be displayed, but it is....

Sorry, but I don´t understand this statement, can you explain it to me? For me it seems unlogical:

I think it is a default behavior, to ensure that critical debugs are turned off if not required, as i even tried disabling logging but was still able to see the debug messages.

If the possibility of configuring the log level for the terminal for example doesn´t take affect, the function is either not working and we have a bug or I completely don´t understand the configuration options for the logging in the asa....

Best Regards

Sebastian

Sebastian,

Pulkit Saxena — Fri, 14 Oct 2016 09:38:24 GMT

Sebastian,

As per my understanding if you configure a class, it should show logs for that class only. I was not aware of debug functionality. I really don't think of it as a caveat.

I believe after configuring the vpn class, you are receiving VPN logs and debug logs, like debug arp. I will try and check more on that.

Pulkit

As per my understanding if

roesch4alc — Fri, 14 Oct 2016 10:22:55 GMT

As per my understanding if you configure a class, it should show logs for that class only. I was not aware of debug functionality. I really don't think of it as a caveat.

Yes, thats´exactly, what I expect from this command. But in fact, it doesn´t work. So I in that case, I think it must be a bug.

I believe after configuring the vpn class, you are receiving VPN logs and debug logs, like debug arp.

No, thats wrong, I testet it. The terminal window shows vpn debug messages, only directly after I entered "debug cry ikev1 128". And therefore I don´t need to configure a vpn class for the monitor like "logging class vpn monitor"....

While when only issuing "logging class vpn monitor" (without typing "debug cry ikev1 128"), there are no vpn debug messages displayed.

So up to know, this feature doesn´t work for me..,.

Regards

Sebastian

Hi Pulkit,

roesch4alc — Wed, 14 Dec 2016 09:04:56 GMT

Hi Pulkit,

did you find something on this? I couldn´t solve this problem until today.

Sebastian

Hi Sebastian,

Pulkit Saxena — Fri, 27 Jan 2017 11:44:40 GMT

Hi Sebastian,

Apologies for too much delay here. I was kind of out of touch here.
So I did check further in regards to our query, and I think we need to go through :
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200365-Differences-Between-Logs-and-Debugs-on-A.html

This document clearly says that, by default all debug messages are displayed on screen when you are connected either through
console or ssh/telnet session. That is why, even though we have "logigng class defined" but as soon as we enable "debug arp",
it is seen on the screen as well.

Please let me know if you have any query on this.

-
Pulkit
Please rate helpful posts.

Hi Pulkit,

roesch4alc — Mon, 30 Jan 2017 08:59:33 GMT

Hi Pulkit,

thank you, that document is really useful to understand the difference between debug and log and makes it more clear to me.

Now after reading this, I have a next question. If debugs are always displayed immediately, for what reason I can configure "logging class vpn monitor debugging" or "logging monitor 7". If debugs are always displayed, this settings are obsolete or is there something I missed?

Regards

Sebastian

I try to describe it in

roesch4alc — Mon, 30 Jan 2017 09:14:03 GMT

I try to describe it in another way: For example: To enable logging monitor 7 makes no sense, as this messages will only be triggered, after a debug command is issued. If you are connected via ssh for example, independet from the logging configuration, debug commands should automatically be displayed to the ssh session.

But I must say, that if I enable debugging for icmp "debug icmp trace" for example, debug messages are displayed immediately. When I now add the logging monitor 7 command, no additional syslog level 7 messages will be displayed.

I think I still don´t fully understand, how it works...

BR
Sebastian

Sebastian,

Pulkit Saxena — Mon, 30 Jan 2017 14:23:49 GMT

Sebastian,

Yes, you are right by saying that messages will only be triggered after a debug command is issued.

So basically, you need to enable the debug for that.

In regards to "logging class" and logging features, I would suggest please go through the following link :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html#97583

Pulkit