topic Re: logging in ASA in Network Security

logging in ASA

kope — Mon, 11 Mar 2019 20:26:16 GMT

I would like to log any ftp traffic outbound at the ASA firewall to a syslog server; and I created an access-list as below to log any ftp traffic;

However, the trap logging level is set at warnings. (i do not want to logged at a lower level).

But I do need to see "informational" logging on ftp traffic.

If i set up the command line below; it appear i can not see the ftp traffic on the syslog, this probably due to the trap logging is set at warnings.

Is there any way i can still log warning message to syslog server but I am able to log informational message on ftp traffic?

thanks,

________________________________________________________________________

access-list OUTBOUND extended permit tcp any any eq ftp log informational

logging trap warnings

Re: logging in ASA

Somanna M.P — Wed, 27 Apr 2011 21:12:35 GMT

Hi Kope,

Each logging message has a default severity level associated with it. You can change that default behavior so that a message is sent based on a configurable severity level instead. For the messages that have a higher default level and that will not be sent, you can reconfigure their level to a lower value.

To change a message's severity level, use the following configuration command:

Firewall(config)# logging message message-number [level level]


In your case you need to configure :

Firewall(config)# loggingg message 106100 level 4

Regards,

Som

P.S. Please mark this post as resolved if this has answered your question. Do rate the helpful posts.

Re: logging in ASA

mvsheik123 — Wed, 27 Apr 2011 21:21:40 GMT

Hi,

My understanding is that you see the messages related to 'ftp' in the ASA local log. If so, one way I can recomend (there may be different way, but Iam not sure..;-)) - using the Message list. For this first find the message ids for the ftp related connections from ASA logs then create message list based on that. ex:

logging list my_CRITICAL level warnings

logging list my_CRITICAL message 111001-111009
logging list my_CRITICAL message 611103

logging trap my_CRITICAL

This will send 'warning' and any log messages Ids matches between 111001-111009 & 611103 as well.

Here is the link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

hth

Re: logging in ASA

sam-roberts — Wed, 27 Apr 2011 21:43:13 GMT

Hi,

If the trap level is set at "warnings" level, ensure that the message IDs corresponding to the "ftp" transcations are set at the same level.

From your config mode, you can try the following command:

logging message warnings

Believe this helps.

Sam Roberts

Re: logging in ASA

kope — Thu, 28 Apr 2011 02:57:35 GMT

logging list APR27_2011 level errors
logging list APR27_2011 message 106100
logging buffered APR27_2011

I have this setup as above and it still did not showed any message id 106100; it just shown error level messages.

Is there anything wrong here?

thanks,

Re: logging in ASA

kope — Thu, 28 Apr 2011 03:47:32 GMT

Hi Sam,

I also tried as below, but return with an INFO message...

ASA1(config)# logging message 106100 level 3
INFO: Please use the access-list command to change the severity level of this syslog
ASA1(config)#

Any idea...thank you