cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3213
Views
5
Helpful
3
Replies

Anyconnect and Hostscan logging

pronin_sergey
Level 1
Level 1

Hello guys,

 

I have a running ASA with Anyconnect and HostScan. We use DAP policies to terminate the connections from various OSes, checking for keys in win registry and etc.

 

Now I would like to somehow log all possible parameters gathered by Hostscan on ASA. For instance:

- OS version

- MAC address

- BIOS serial number

and so on.

Is there a way to do this?

 

--

Sergey

3 Replies 3

pronin_sergey
Level 1
Level 1

Hello,

 

anyone? I don't believe that it is just me, who wants to get as much info as possible from users.

This info could be perfectly used in SIEM.

Found the solution.

In ASDM do the following:

Configuration -> Device management -> Logging -> Logging Filters

 

Choose logging destination you need, then in Syslog from Specific Event Classes do:

Event class: dap

Severity: debugging 

 

Then in logs you'll see smth like this:

Jun  9 16:30:14 ASA_INSTANCE %ASA-7-734003: DAP: User USERNAME, Addr 1.2.3.4: Session Attribute endpoint.os.version="Linux"
Jun  9 16:30:14 ASA_INSTANCE %ASA-7-734003: DAP: User USERNAME, Addr 1.2.3.4: Session Attribute endpoint.os.servicepack="3.19.0-15-generic"
Jun  9 16:30:14 ASA_INSTANCE %ASA-7-734003: DAP: User USERNAME, Addr 1.2.3.4: Session Attribute endpoint.os.architecture="x86"
Jun  9 16:30:14 ASA_INSTANCE %ASA-7-734003: DAP: User USERNAME, Addr 1.2.3.4: Session Attribute endpoint.policy.location="Default"
Jun  9 16:30:14 ASA_INSTANCE %ASA-7-734003: DAP: User USERNAME, Addr 1.2.3.4: Session Attribute endpoint.device.protection="none"
Jun  9 16:30:14 ASA_INSTANCE %ASA-7-734003: DAP: User USERNAME, Addr 1.2.3.4: Session Attribute endpoint.device.protection_version="3.1.08009"

Apparently there are two of us  ;)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: