02-03-2017 01:48 AM
Hi,
I am sending syslogs to an inhouse syslog server of mine. I need to have VPN logs (connections via cisco anyconnect mobility client) send to Syslog as well at particular port say 6161. Are these included in the information logs that I am sending or is there any particular additional configuration I need for that? please let me know.
logging enable
logging timestamp
logging trap informational
logging asdm errors
logging host inside x.x.x.x (my syslog server IP)
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 710003
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
-best
nf
Solved! Go to Solution.
02-03-2017 02:33 AM
Your method will work. If you want them to go to port 6161 then you would need to append that to the "logging host" command. e.g.
logging host inside x.x.x.x udp 6161
Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html#68764
However, I find informational level logging a bit verbose for an ASA. What I do is set my logging trap level to warnings and then elevate the (otherwise informational) messages I am interested in to warning level as follows:
logging trap warnings
logging message <interesting message id> level warnings
That way I only get the few I want (plus any genuine warning level messages of course).
02-03-2017 02:33 AM
Your method will work. If you want them to go to port 6161 then you would need to append that to the "logging host" command. e.g.
logging host inside x.x.x.x udp 6161
Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html#68764
However, I find informational level logging a bit verbose for an ASA. What I do is set my logging trap level to warnings and then elevate the (otherwise informational) messages I am interested in to warning level as follows:
logging trap warnings
logging message <interesting message id> level warnings
That way I only get the few I want (plus any genuine warning level messages of course).
02-03-2017 05:15 AM
Thanks Marvin. i will try the second method so I can generate less logging traffic.
How would I find the message Id of interest though?
02-03-2017 06:08 AM
Soemthing like the excerpt below shows you that messages 722051 and 113019 may be of interest - they show the session esablishment and shutdown events.
asa-5512# sh log asdm | i marvin
4|Feb 03 2017 08:24:01|722041: TunnelGroup <DISYS-SSL> GroupPolicy <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> No IPv6 address available for SVC connection
5|Feb 03 2017 08:24:01|722033: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> First TCP SVC connection established for SVC session.
4|Feb 03 2017 08:24:01|722051: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> IPv4 Address <192.168.45.96> IPv6 address <::> assigned to session
5|Feb 03 2017 08:24:09|722033: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> First UDP SVC connection established for SVC session.
4|Feb 03 2017 08:57:41|722037: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC closing connection: DPD failure.
4|Feb 03 2017 08:58:57|722037: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC closing connection: Transport closing.
5|Feb 03 2017 08:58:57|722032: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> New TCP SVC connection replacing old connection.
4|Feb 03 2017 08:58:57|722051: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> IPv4 Address <192.168.45.96> IPv6 address <::> assigned to session
5|Feb 03 2017 08:58:57|722028: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> Stale SVC connection closed.
5|Feb 03 2017 08:58:58|722033: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> First UDP SVC connection established for SVC session.
5|Feb 03 2017 09:04:46|722012: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..
4|Feb 03 2017 09:04:46|722037: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC closing connection: User Requested.
4|Feb 03 2017 09:04:46|113019: Group = DISYS-SSL, Username = marvin.rhoads, IP = 175.142.232.146, Session disconnected. Session Type: SSL, Duration: 0h:40m:50s, Bytes xmt: 5831300, Bytes rcv: 2045133, Reason: User Requested
asa-5512#
02-03-2017 10:24 PM
ok, thats great.
so here's what I understood, please correct me if i am wrong:
02-04-2017 06:57 PM
Correct. Please mark your question as answered if it has been.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide