Solved: Correct. Please mark your

night-fury · ‎02-03-2017

Hi,

I am sending syslogs to an inhouse syslog server of mine. I need to have VPN logs (connections via cisco anyconnect mobility client) send to Syslog as well at particular port say 6161. Are these included in the information logs that I am sending or is there any particular additional configuration I need for that? please let me know.

logging enable
logging timestamp

logging trap informational
logging asdm errors
logging host inside x.x.x.x (my syslog server IP)
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 710003
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020

-best

nf

Marvin Rhoads · ‎02-03-2017

Your method will work. If you want them to go to port 6161 then you would need to append that to the "logging host" command. e.g.

logging host inside x.x.x.x udp 6161

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html#68764

However, I find informational level logging a bit verbose for an ASA. What I do is set my logging trap level to warnings and then elevate the (otherwise informational) messages I am interested in to warning level as follows:

logging trap warnings
logging message <interesting message id> level warnings

That way I only get the few I want (plus any genuine warning level messages of course).

View solution in original post

Marvin Rhoads · ‎02-03-2017

Your method will work. If you want them to go to port 6161 then you would need to append that to the "logging host" command. e.g.

logging host inside x.x.x.x udp 6161

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html#68764

However, I find informational level logging a bit verbose for an ASA. What I do is set my logging trap level to warnings and then elevate the (otherwise informational) messages I am interested in to warning level as follows:

logging trap warnings
logging message <interesting message id> level warnings

That way I only get the few I want (plus any genuine warning level messages of course).

night-fury · ‎02-03-2017

Thanks Marvin. i will try the second method so I can generate less logging traffic.

How would I find the message Id of interest though?

Marvin Rhoads · ‎02-03-2017

Soemthing like the excerpt below shows you that messages 722051 and 113019 may be of interest - they show the session esablishment and shutdown events.

asa-5512# sh log asdm | i marvin
4|Feb 03 2017 08:24:01|722041: TunnelGroup <DISYS-SSL> GroupPolicy <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> No IPv6 address available for SVC connection
5|Feb 03 2017 08:24:01|722033: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> First TCP SVC connection established for SVC session.
4|Feb 03 2017 08:24:01|722051: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> IPv4 Address <192.168.45.96> IPv6 address <::> assigned to session
5|Feb 03 2017 08:24:09|722033: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> First UDP SVC connection established for SVC session.
4|Feb 03 2017 08:57:41|722037: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC closing connection: DPD failure.
4|Feb 03 2017 08:58:57|722037: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC closing connection: Transport closing.
5|Feb 03 2017 08:58:57|722032: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> New TCP SVC connection replacing old connection.
4|Feb 03 2017 08:58:57|722051: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> IPv4 Address <192.168.45.96> IPv6 address <::> assigned to session
5|Feb 03 2017 08:58:57|722028: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> Stale SVC connection closed.
5|Feb 03 2017 08:58:58|722033: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> First UDP SVC connection established for SVC session.
5|Feb 03 2017 09:04:46|722012: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC Message: 16/NOTICE: The user has requested to disconnect the connection..
4|Feb 03 2017 09:04:46|722037: Group <DISYSSSLCLIENTPOLICY> User <marvin.rhoads> IP <175.142.232.146> SVC closing connection: User Requested.
4|Feb 03 2017 09:04:46|113019: Group = DISYS-SSL, Username = marvin.rhoads, IP = 175.142.232.146, Session disconnected. Session Type: SSL, Duration: 0h:40m:50s, Bytes xmt: 5831300, Bytes rcv: 2045133, Reason: User Requested
asa-5512#

night-fury · ‎02-03-2017

ok, thats great.

so here's what I understood, please correct me if i am wrong:

enable informational logs first so that I get all possible logs.
connect VPN so that VPN logs are generated and I can get the message IDs.
change the logging back to warning only from informational
elevate the message IDs of interest to warning.
of course, configure the logging server with desired port during or after this process.

Marvin Rhoads · ‎02-04-2017

Correct. Please mark your question as answered if it has been.

send VPN logs to syslog