04-16-2024 08:30 AM
Hello,
The DISA STIG, V-239941, asks that the following be configured:
event manager applet BACKUP_CONFIG
event syslog pattern "SYSLOG_CONFIG_I"
action 1 cli command "copy startup-config scp://userx:xxxxxxx@10.1.48.10//opt/config_backup"
action 2 syslog priority informational msg "Configuration backup was executed"
On my Cisco ASA 5506 running ASA code 9.16(4)19, the "event syslog pattern" syntax doesn't exist:
firewall(config)# event manager applet Config_Backup
firewall(config-applet)# event syslog ?
event manager applet mode commands/options:
id Configure the syslog id
firewall(config-applet)# event syslog
The STIG is from 15 March 2021; has the syntax changed since then (old vs. new ASA code)? Is it possible to get this capability to work using different syntax?
Thanks in advance!
Solved! Go to Solution.
04-17-2024 01:01 PM
Hello,
it took me a while to figure out what exactly these syslog ids are that the ASA uses. In your case, you need syslog id 111010:
111010
Error Message %ASA-5-111010: User username , running application-name from IP ip addr , executed cmd
Explanation A user made a configuration change.
username —The user making the configuration change
application-name —The application that the user is running
ip addr —The IP address of the management station
cmd —The command that the user has executed
If you specify that number in your EEM, the backup config is triggered.
--> firewall(config-applet)# event syslog 111010
Here is a link to all syslog ids:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
04-16-2024 08:35 AM
04-16-2024 08:38 AM
Hello MHM,
I think that's a great link, it contains syntax for a daily backup (like a cron job). Any thoughts on a triggered configuration save? Any idea what changed about the event syslog syntax?
Again, thanks!
04-17-2024 01:01 PM
Hello,
it took me a while to figure out what exactly these syslog ids are that the ASA uses. In your case, you need syslog id 111010:
111010
Error Message %ASA-5-111010: User username , running application-name from IP ip addr , executed cmd
Explanation A user made a configuration change.
username —The user making the configuration change
application-name —The application that the user is running
ip addr —The IP address of the management station
cmd —The command that the user has executed
If you specify that number in your EEM, the backup config is triggered.
--> firewall(config-applet)# event syslog 111010
Here is a link to all syslog ids:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
04-21-2024 06:23 AM
Hello Georg,
I've been fooling around with the suggestion you provided but can't seem to get that to work correctly. Here's my ASA config:
event manager applet Config_Backup
description Backup running-config when changes are made
event syslog id 111010
action 1 cli command "copy running-config tftp://192.168.1.10/firewall.cfg"
output console
Looking in my logs, the ASA is generating the required syslog id:
Apr 21 12:51:03 192.168.1.1 : %ASA-5-111010: User 'enable_15', running 'CLI' from IP 192.168.1.103, executed 'logging host inside 192.168.1.8'
Apr 21 13:05:02 192.168.1.1 : %ASA-5-111010: User 'enable_15', running 'CLI' from IP 192.168.1.103, executed 'write'
Despite that, I'm not seeing the "firewall.cfg" file on my tftp server. Running the copy syntax by hand works just fine. However, it does require me to press <enter> a few times:
firewall# copy running-config tftp://192.168.1.10/firewall.cfg
Source filename [running-config]?
Address or name of remote host [192.168.1.10]?
Destination filename [firewall.cfg]?
Cryptochecksum: 0f5bc406 f66ed8c7 7fe15aaf 08770674
11397 bytes copied in 0.410 secs
firewall#
Any ideas on what might be preventing this from working at this point?
Again, thanks in advance!
04-21-2024 07:36 AM
Hello,
I have tested this with the syntax below:
ASA(config)# event manager applet Config_Backup
ASA(config-applet)# description Backup running-config when changes are made
ASA(config-applet)# event syslog id 111010
ASA(config-applet)# action 1 cli command "copy running-config tftp://192.168.1.10/firewall.cfg"
ASA(config-applet)# output console
ASA(config-applet)# exit
ASA(config)# write memory
It was complaining about the source filename until I added 'exit' within the applet, and then 'write memory' in config mode.
Adjust the configuration according to your specific requirements and environment.
04-21-2024 09:30 AM
Hello Georg,
The syntax isn't working for me as written... I added "/noconfirm" to my copy syntax, which allows the command to work but the copying of the conf triggers a forever copy loop... You said your syntax worked. What does it look like in your running config?
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:27 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:27 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Thanks,
Rob
04-24-2024 04:45 AM
Hello,
that doesn't look good. I'll check what I have configured...I did not notice a loop.
04-24-2024 05:31 AM
Hello Georg,
The syntax you proposed doesn't work for me:
event manager applet Config_Backup
description Backup running-config when changes are made
event syslog id 111010
action 1 cli command "copy running-config tftp://192.168.1.10/firewall.cfg"
output console
I think that might be due to the fact that when I run "copy start tftp" by hand, I have to press return a few times to confirm the source and destination:
firewall# copy running-config tftp://192.168.1.10/firewall.cfg
Source filename [running-config]?
Address or name of remote host [192.168.1.10]?
Destination filename [firewall.cfg]?
Cryptochecksum: 2988c787 a7118fc8 5304deb3 e8ac4aed
12885 bytes copied in 0.380 secs
firewall#
For the sake of trouble-shooting, I added the "/noconfirm" to my syntax (causes the copy command to not confirm source, destination, or destination filename). With "/noconfirm" applied, I get a copy loop:
event manager applet Config_Backup
description Backup running-config when changes are made
event syslog id 111010
action 1 cli command "copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg"
output console
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
The fact that the copy doesn't work without the "/noconfirm" makes me think that copy's conformation prompts are preventing the copy from working when triggered by the syslog ID. However, using the "/noconfirm" has its own problem. Is there another way to do this?
Thanks in advance!
04-24-2024 04:42 AM
I follow your comment, you detect event syslog message number and that sure enter you in loop
EEM already do action and hence the syslog always pop up,
what you want exactly if you dont want to use Knor is use syslog with pattern. i.e. exactly the log message appear and need EEM to run when it appear
and best one is when you copy run start
MHM
04-17-2024 01:46 PM
Hello Georg,
That's awesome! How did you did that out of Cisco's website? Chasing down the info you provided, that's a tough find! Any idea why the syntax changed from the old pattern method to the ID method? Thanks again for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide