cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1366
Views
5
Helpful
5
Replies
Beginner

Audit log on cisco ASA firewall.

There are several users with administrator role on network devices. sometime configuration change without acknowledgement. I want to know who have been log in and what they have made change.

 

How to monitor this activity on cisco ASA, switch or router?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: Audit log on cisco ASA firewall.

As @balaji.bandi alluded, an Accounting server (the third "A" in AAA) is the answer. An external RADIUS or TACACS+ server (like Cisco ISE) can keep a log of all actions.

 

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

 

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

 

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

5 REPLIES 5
VIP Advisor

Re: Audit log on cisco ASA firewall.

How is your user authentication setup done, you have ACS or any other mechanism in place for authentication and authorization ?

 

BB
*** Rate All Helpful Responses ***
Hall of Fame Master

Re: Audit log on cisco ASA firewall.

As @balaji.bandi alluded, an Accounting server (the third "A" in AAA) is the answer. An external RADIUS or TACACS+ server (like Cisco ISE) can keep a log of all actions.

 

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

 

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

 

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

Beginner

Re: Audit log on cisco ASA firewall.

Hello,
if Informational Logs are being forwarded to an external syslog.. then will message ids 111008-111010 will get auto logged to syslog ?
Highlighted
Hall of Fame Master

Re: Audit log on cisco ASA firewall.

111008 and 111010 are notification (level 5), so yes for those.

111009 is debug (level 7), so no for that one.

(Unless you override the default severity level)

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_8587071

Beginner

Re: Audit log on cisco ASA firewall.

Thanks for the reply..
i am using algosec firewall analyzer and all syslogs from firewalls are being forwarded to it .. i can see the configuration modification (under raw configuration) but the user id is not available .. is there any way the commands being run from a session in ASA can be sent as audit log information ? does asa record user id in raw configuration ? the hide username setting is also disabled.