https://community.cisco.com/t5/network-security/asa-syslog-config-question/m-p/1491782#M613258 <P>Hello All,</P><P></P><P>I can't seem to get ASA authentication request, or config changes alerts to be forwarded to our syslog server.&nbsp; I'm able to see all normal ASA messages, blocked messages, VPN authenications, etc, but if I fail a login, or make config changes it does not show up in our syslog server.&nbsp; Here is the logging config:</P><P></P><P>logging enable<BR />logging timestamp<BR />logging list Failover level errors class ha<BR />logging buffered informational<BR />logging trap informational<BR />logging asdm informational<BR /><SPAN>logging from-address </SPAN><A class="jive-link-email-small" href="mailto:reports@company.com" target="_blank">reports@company.com</A><BR /><SPAN>logging recipient-address </SPAN><A class="jive-link-email-small" href="mailto:sjaggers@company.com" target="_blank">sjaggers@company.com</A><SPAN> level critical</SPAN><BR />logging device-id hostname<BR />logging host inside NAC-Syslog</P><P>logging class auth console notifications trap informational asdm notifications<BR />logging class config console notifications trap informational asdm notifications</P><P></P><P>I've turned up every level I could think of to informational, done multiple google searches and I am at a loss.&nbsp; This is something we have to show for compliance, and is one of my last open issues so any help is greatly appreciated</P><P></P><P>Thanks,</P><P></P><P>Shawn</P> Mon, 11 Mar 2019 18:31:37 GMT smjaggers 2019-03-11T18:31:37Z https://community.cisco.com/t5/network-security/asa-syslog-config-question/m-p/1491782#M613258 <P>Hello All,</P><P></P><P>I can't seem to get ASA authentication request, or config changes alerts to be forwarded to our syslog server.&nbsp; I'm able to see all normal ASA messages, blocked messages, VPN authenications, etc, but if I fail a login, or make config changes it does not show up in our syslog server.&nbsp; Here is the logging config:</P><P></P><P>logging enable<BR />logging timestamp<BR />logging list Failover level errors class ha<BR />logging buffered informational<BR />logging trap informational<BR />logging asdm informational<BR /><SPAN>logging from-address </SPAN><A class="jive-link-email-small" href="mailto:reports@company.com" target="_blank">reports@company.com</A><BR /><SPAN>logging recipient-address </SPAN><A class="jive-link-email-small" href="mailto:sjaggers@company.com" target="_blank">sjaggers@company.com</A><SPAN> level critical</SPAN><BR />logging device-id hostname<BR />logging host inside NAC-Syslog</P><P>logging class auth console notifications trap informational asdm notifications<BR />logging class config console notifications trap informational asdm notifications</P><P></P><P>I've turned up every level I could think of to informational, done multiple google searches and I am at a loss.&nbsp; This is something we have to show for compliance, and is one of my last open issues so any help is greatly appreciated</P><P></P><P>Thanks,</P><P></P><P>Shawn</P> Mon, 11 Mar 2019 18:31:37 GMT https://community.cisco.com/t5/network-security/asa-syslog-config-question/m-p/1491782#M613258 smjaggers 2019-03-11T18:31:37Z https://community.cisco.com/t5/network-security/asa-syslog-config-question/m-p/1491783#M613261 <HTML><HEAD></HEAD><BODY><P>Hi Shawn,</P><P></P><P>Your configuration looks correct to be sending the syslogs.&nbsp; I ran a few quick tests here and these are the specific syslogs you should be on the lookout for.</P><P></P><P>Configuration Changes</P><P>===================</P><P>%ASA-5-111008: User 'enable_15' executed the 'class-map test' command.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769400">http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769400</A></P><P></P><P>This notification level syslog will be issued whenever someone issues a command on the ASA.&nbsp; Note that if you are logging in and then using the enable command the username will always show up as enable_15.&nbsp; Users must use the "login" command and authenticate again to retain their username.</P><P></P><P>Failed Logins</P><P>====================</P><P>%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = scott<BR />%ASA-6-611102: User authentication failed: Uname: scott<BR />%ASA-6-611102: User authentication failed: Uname: scott</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576">http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576</A></P><P></P><P>611102 identifies when an authentication for connections to the ASA fails.</P><P></P><P>I hope this helps in tracking down those syslogs.</P><P></P><P>-Scott</P></BODY></HTML> Fri, 27 Aug 2010 15:22:53 GMT https://community.cisco.com/t5/network-security/asa-syslog-config-question/m-p/1491783#M613261 scbrinke 2010-08-27T15:22:53Z https://community.cisco.com/t5/network-security/asa-syslog-config-question/m-p/1491784#M613264 <HTML><HEAD></HEAD><BODY><P>Thanks!&nbsp; I guess I wasn't formatting my queries to the syslog serv<SPAN style="background-color: #f8fafd;">er right, our solution is not the most user friendly.&nbsp; I was able to find each of the classes I needed, starting with the 111008 message you specified below.&nbsp; Thanks for the help.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Shawn</SPAN></P></BODY></HTML> Fri, 27 Aug 2010 16:03:48 GMT https://community.cisco.com/t5/network-security/asa-syslog-config-question/m-p/1491784#M613264 smjaggers 2010-08-27T16:03:48Z