topic Re: Audit trail in a Cisco ASA in Network Security

Audit trail in a Cisco ASA

NeWGuy1109 — Fri, 21 Feb 2020 17:32:26 GMT

Hello,

As i understand syslog id 111008-111010 can be used as an audit trail to record the changes in Firewalls...

However, does an audit trail corresponds to policy change only ?

Suppose a user runs "permit traffic same security intra-interface" can this command be logged as an audit trail to an external syslog server ?

Re: Audit trail in a Cisco ASA

balaji.bandi — Mon, 30 Sep 2019 15:22:34 GMT

you can setup one for the Audit logs to send to syslog as below, all the commands enter by the user will be logged.

or if you have AAA (like ACS, ISE can also audit the same).

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

Re: Audit trail in a Cisco ASA

NeWGuy1109 — Tue, 01 Oct 2019 10:05:43 GMT

i am using Algosec Firewall Analyzer and all the informational syslogs are being forwarded to it ..i can see the commands being run on the ASA but the user id is not available with those commands... Hide username logging is also disabled.

Re: Audit trail in a Cisco ASA

balaji.bandi — Tue, 01 Oct 2019 15:50:00 GMT

can you provide a sample log and you're implemented configure to verify?

Re: Audit trail in a Cisco ASA

NeWGuy1109 — Wed, 02 Oct 2019 08:26:08 GMT

In ASA , algosec is added as a syslog server and all informational logs are being forwarded to it. I do see policy change notifications in algosec such as NAT change, rule change etc.. but when someone is running commands such as "permit traffic same security inter interface" i cant see the name of the id who executed it... One thing i would like to know is whether there is a particular category of commands which are generated as "Audit Logs" in ASA, is it possible to modify ASA config in such a way that an admin can modify what commands are captured as Audit logs.

Re: Audit trail in a Cisco ASA

bstewart — Thu, 10 Mar 2022 20:43:24 GMT

It looks like if you want to use syslog, there are three messages

111008 - logs the command (Level 5 - Notification) - excludes "show" commands

111010 - logs the command and user info (Level 5 - Notification) - excludes "show" commands

111009 - logs everything, even "show" (Level 7 - Debugging)

There's also a way to change what level a given message logs at, if I understand somebody else's comment correctly.

But the right way to do this is to use the AAA accounting commands (which I'm still looking into how to do; do those only log to your TACACS/RADIUS/etc server or can you also get them over to syslog.)