cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
2
Helpful
10
Replies

event syslog pattern syntax doesn't work

robertramsey
Level 1
Level 1

Hello,

The DISA STIG, V-239941, asks that the following be configured:

event manager applet BACKUP_CONFIG
event syslog pattern "SYSLOG_CONFIG_I"
action 1 cli command "copy startup-config scp://userx:xxxxxxx@10.1.48.10//opt/config_backup"
action 2 syslog priority informational msg "Configuration backup was executed"

On my Cisco ASA 5506 running ASA code 9.16(4)19, the "event syslog pattern" syntax doesn't exist: 

firewall(config)# event manager applet Config_Backup
firewall(config-applet)# event syslog ?

event manager applet mode commands/options:
  id  Configure the syslog id
firewall(config-applet)# event syslog

The STIG is from 15 March 2021; has the syntax changed since then (old vs. new ASA code)?  Is it possible to get this capability to work using different syntax?

Thanks in advance! 

1 Accepted Solution

Accepted Solutions

Hello,

it took me a while to figure out what exactly these syslog ids are that the ASA uses.  In your case, you need syslog id 111010:

111010
Error Message %ASA-5-111010: User username , running application-name from IP ip addr , executed cmd

Explanation A user made a configuration change.

username —The user making the configuration change
application-name —The application that the user is running
ip addr —The IP address of the management station
cmd —The command that the user has executed

If you specify that number in your EEM, the backup config is triggered. 

--> firewall(config-applet)# event syslog 111010

Here is a link to all syslog ids:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html

View solution in original post

10 Replies 10

robertramsey
Level 1
Level 1

Hello MHM,

I think that's a great link, it contains syntax for a daily backup (like a cron job).  Any thoughts on a triggered configuration save?  Any idea what changed about the event syslog syntax?

Again, thanks!

Hello,

it took me a while to figure out what exactly these syslog ids are that the ASA uses.  In your case, you need syslog id 111010:

111010
Error Message %ASA-5-111010: User username , running application-name from IP ip addr , executed cmd

Explanation A user made a configuration change.

username —The user making the configuration change
application-name —The application that the user is running
ip addr —The IP address of the management station
cmd —The command that the user has executed

If you specify that number in your EEM, the backup config is triggered. 

--> firewall(config-applet)# event syslog 111010

Here is a link to all syslog ids:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html

Hello Georg,

I've been fooling around with the suggestion you provided but can't seem to get that to work correctly.  Here's my ASA config:

event manager applet Config_Backup
 description Backup running-config when changes are made
 event syslog id 111010
 action 1 cli command "copy running-config tftp://192.168.1.10/firewall.cfg"
 output console

Looking in my logs, the ASA is generating the required syslog id:

Apr 21 12:51:03 192.168.1.1 : %ASA-5-111010: User 'enable_15', running 'CLI' from IP 192.168.1.103, executed 'logging host inside 192.168.1.8'
Apr 21 13:05:02 192.168.1.1 : %ASA-5-111010: User 'enable_15', running 'CLI' from IP 192.168.1.103, executed 'write'

Despite that, I'm not seeing the "firewall.cfg" file on my tftp server.  Running the copy syntax by hand works just fine.  However, it does require me to press <enter> a few times:

firewall# copy running-config tftp://192.168.1.10/firewall.cfg

Source filename [running-config]?

Address or name of remote host [192.168.1.10]?

Destination filename [firewall.cfg]?
Cryptochecksum: 0f5bc406 f66ed8c7 7fe15aaf 08770674

11397 bytes copied in 0.410 secs
firewall#

Any ideas on what might be preventing this from working at this point?

Again, thanks in advance!

Hello,

I have tested this with the syntax below:

ASA(config)# event manager applet Config_Backup
ASA(config-applet)# description Backup running-config when changes are made
ASA(config-applet)# event syslog id 111010
ASA(config-applet)# action 1 cli command "copy running-config tftp://192.168.1.10/firewall.cfg"
ASA(config-applet)# output console
ASA(config-applet)# exit
ASA(config)# write memory

It was complaining about the source filename until I added 'exit' within the applet, and then 'write memory' in config mode.

Adjust the configuration according to your specific requirements and environment.

Hello Georg,

The syntax isn't working for me as written...  I added "/noconfirm" to my copy syntax, which allows the command to work but the copying of the conf triggers a forever copy loop...  You said your syntax worked.  What does it look like in your running config?

Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:27 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:27 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'

Thanks,

Rob

Hello,

that doesn't look good. I'll check what I have configured...I did not notice a loop.

Hello Georg,

The syntax you proposed doesn't work for me:

event manager applet Config_Backup
 description Backup running-config when changes are made
 event syslog id 111010
 action 1 cli command "copy running-config tftp://192.168.1.10/firewall.cfg"
 output console

I think that might be due to the fact that when I run "copy start tftp" by hand, I have to press return a few times to confirm the source and destination:

firewall# copy running-config tftp://192.168.1.10/firewall.cfg

Source filename [running-config]?

Address or name of remote host [192.168.1.10]?

Destination filename [firewall.cfg]?
Cryptochecksum: 2988c787 a7118fc8 5304deb3 e8ac4aed

12885 bytes copied in 0.380 secs
firewall#

 For the sake of trouble-shooting, I added the "/noconfirm" to my syntax (causes the copy command to not confirm source, destination, or destination filename).  With "/noconfirm" applied, I get a copy loop:

event manager applet Config_Backup
 description Backup running-config when changes are made
 event syslog id 111010
 action 1 cli command "copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg"
 output console
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.

 The fact that the copy doesn't work without the "/noconfirm" makes me think that copy's conformation prompts are preventing the copy from working when triggered by the syslog ID.  However, using the "/noconfirm" has its own problem.  Is there another way to do this?

Thanks in advance!

I follow your comment, you detect event syslog message number and that sure enter you in loop
EEM already do action and hence the syslog always pop up, 
what you want exactly if you dont want to use Knor is use syslog with pattern. i.e. exactly the log message appear and need EEM to run when it appear 
and best one is when you copy run start 
MHM 

Screenshot (347).png

robertramsey
Level 1
Level 1

Hello Georg,

That's awesome!  How did you did that out of Cisco's website?  Chasing down the info you provided, that's a tough find!  Any idea why the syntax changed from the old pattern method to the ID method?  Thanks again for your help!

Review Cisco Networking for a $25 gift card