topic Re: Configuration changes on ASA to Syslog in Network Security

Configuration changes on ASA to Syslog

bobmc859 — Fri, 21 Feb 2020 17:17:42 GMT

Based on information found here and other websites I've attempted to setup logging on my ASA to monitor for configuration changes and send those to my Syslog server, however i'm not showing any results. Below is the output displaying what we have setup for logging and the "notif-cfg-changes" section is basically what I added via ASDM, everything else was already in place. Can anyone tell me what I'm missing please.

show running-config logging
logging enable
logging timestamp
logging list Logging level warnings
logging list Logging level informational class auth
logging list Logging level informational class vpn
logging list Logging level informational class vpnc
logging list Logging level informational class webvpn
logging list Logging message 713120
logging list Logging message 713050
logging list Logging message 113004-113016
logging list IOC-Blocks level warnings class rule-engine
logging list IOC-Blocks message 106023
logging list IDS level informational class ids
logging list IDS message 302014
logging list IDS message 400000-400050
logging list notif-cfg-changes level errors class config
logging list notif-cfg-changes message 111008-111010
logging buffer-size 1000000
logging asdm-buffer-size 512
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap Logging
logging history informational
logging asdm debugging
logging mail Logging
logging from-address ASA-Alerting@domain.com
logging recipient-address BobMckinley@domain.com level errors
logging facility 21
logging queue 0
logging host inside x.x.x.x
logging host inside x.x.x.x
logging permit-hostdown
logging class auth buffered debugging mail informational trap informational
logging class ssl console debugging
logging rate-limit unlimited level 2
logging rate-limit unlimited level 5
logging rate-limit unlimited level 7

Re: Configuration changes on ASA to Syslog

balaji.bandi — Tue, 09 Jul 2019 18:31:33 GMT

syslog IDs 111008, 111009 and 111010 - for the changes done at ASA.
- logging trap debug ( to send the messages to ASA to syslog you need to have minimum configured information or debug, i start with debug and test, if working move to trap to information)

EDIT i forgot to put some information here :

111008 event for every command executed, and an 111010 for those that modify configuration

logging list notif-cfg-changes message 111008-111010
logging list notif-cfg-changes level errors
logging trap notif-cfg-changes

here is the syslog messages

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html

Re: Configuration changes on ASA to Syslog

bobmc859 — Tue, 09 Jul 2019 18:14:24 GMT

Thanks Balaji, however I don't completely understand your response. Are you saying the IDs are incorrect for the ASA? Also are you suggesting I change logging trap Logging to debug?

Thanks,
Bob

Re: Configuration changes on ASA to Syslog

bobmc859 — Wed, 10 Jul 2019 13:03:39 GMT

Balaji, thanks for updating your response, that helps. Though I do have a follow up questions.

The one command, "logging trap notif-cfg-changes" I can't see how to add that via ASDM, though I can do that via CLI but would I just go into config t and type logging trap notif-cfg-changes to add that?

The next question, changing "logging trap Logging" to logging trap debug/information will that affect the other logging setups?

Thanks!

Re: Configuration changes on ASA to Syslog

balaji.bandi — Wed, 10 Jul 2019 18:41:49 GMT

here is the ASDM Guide to configure to assits you here.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113053-asa82-syslog-config-00.html