https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357212#M308915 <HTML><HEAD></HEAD><BODY><P> Thanks guys,</P><P></P><P>I actually did setup a syslog server thinking that was going to be the ticket but wasn't 100% sure.&nbsp; I will take a look at Netflow options down the road.</P></BODY></HTML> Mon, 18 Nov 2013 16:06:42 GMT gregorysieg 2013-11-18T16:06:42Z https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357209#M308910 <P>Hello,</P><P></P><P>I would like to pull a report for the last 24 hours of all external connection attempts to our ASA.&nbsp; I went into Monitoring via the ASMD (7.1) and changed the logging level to "Informational" however I do not see anything coming in it only seems to be showing my internal going out.&nbsp; Could someone please supply me with some information or direction on where I could find documents for this.</P><P></P><P>Thanks,</P><P></P><P>Greg</P> Tue, 12 Mar 2019 03:05:05 GMT https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357209#M308910 gregorysieg 2019-03-12T03:05:05Z https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357210#M308911 <HTML><HEAD></HEAD><BODY><P>The ASA has a logging buffer that by default is short, it is expected that if you are monitoring traffic to or through the ASA you configure a Syslog server since past events are not saved into disk unless specified.<SPAN __jive_emoticon_name="cry" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Thu, 14 Nov 2013 21:18:15 GMT https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357210#M308911 jumora 2013-11-14T21:18:15Z https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357211#M308913 <HTML><HEAD></HEAD><BODY><P>Hello Gregory</P><P></P><P>My recommendation for this is to leverage the UDP Syslog packets to a External device so you can save memory on the ASA for different traffic.</P><P></P><P>Note: You should consider Netflow as it will provide you granularity and also depending on the vendor software they will build reports, etc on their own with the data send to the collector.</P><P></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Thu, 14 Nov 2013 22:26:35 GMT https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357211#M308913 Julio Carvajal 2013-11-14T22:26:35Z https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357212#M308915 <HTML><HEAD></HEAD><BODY><P> Thanks guys,</P><P></P><P>I actually did setup a syslog server thinking that was going to be the ticket but wasn't 100% sure.&nbsp; I will take a look at Netflow options down the road.</P></BODY></HTML> Mon, 18 Nov 2013 16:06:42 GMT https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357212#M308915 gregorysieg 2013-11-18T16:06:42Z https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357213#M308918 <HTML><HEAD></HEAD><BODY><P>Guys,&nbsp; </P><P></P><P>I have a Syslog up and running but am finding I'm not really getting the information I was expecting.&nbsp;&nbsp; I was thinking I would see numerous denied attempts to say port 3389, 23, or other well known ports but really I'm pretty much just seeing alot of "Teardown connections", "Built connections", "Access List permitted", and some randle "Deny TCP (no connection).&nbsp; Now I think the Deny TCP (no connection) may be what I'm looking for but I really expected to see quite a bit more of this type of traffic?&nbsp; I figured I'd pick up some port scanning attempts or something maybe it's there and I just am not viewing it correctly or maybe I'm looking in the wrong place?&nbsp; Maybe I'm just expecting more negative then I should be.&nbsp; Any thoughts?</P><P></P><P>Thanks,</P><P></P><P>Greg</P></BODY></HTML> Fri, 22 Nov 2013 17:47:23 GMT https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357213#M308918 gregorysieg 2013-11-22T17:47:23Z https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357214#M308919 <HTML><HEAD></HEAD><BODY><P>Hello Greg,</P><P></P><P>So you are not seeing any Deny ACL???</P><P></P><P>Look for log ID 106023</P><P id="stcpDiv" style="position: absolute; top: -1999px; left: -1988px;">106023</P><P></P><P id="stcpDiv" style="position: absolute; top: -1999px; left: -1988px;">106023</P><P></P><P id="stcpDiv" style="position: absolute; top: -1999px; left: -1988px;">106023</P><P></P><P id="stcpDiv" style="position: absolute; top: -1999px; left: -1988px;">106023</P><P id="stcpDiv" style="position: absolute; top: -1999px; left: -1988px;">106023 p</P><P></P><P id="stcpDiv" style="position: absolute; top: -1999px; left: -1988px;">106023 p</P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Fri, 22 Nov 2013 18:38:01 GMT https://community.cisco.com/t5/network-security/asa-5520-security-audit/m-p/2357214#M308919 Julio Carvajal 2013-11-22T18:38:01Z