Solved: ASA 5520 - Security Audit

gregorysieg · ‎11-14-2013

Hello,

I would like to pull a report for the last 24 hours of all external connection attempts to our ASA. I went into Monitoring via the ASMD (7.1) and changed the logging level to "Informational" however I do not see anything coming in it only seems to be showing my internal going out. Could someone please supply me with some information or direction on where I could find documents for this.

Thanks,

Greg

jumora · ‎11-14-2013

The ASA has a logging buffer that by default is short, it is expected that if you are monitoring traffic to or through the ASA you configure a Syslog server since past events are not saved into disk unless specified.

Value our effort and rate the assistance!

View solution in original post

Julio Carvajal · ‎11-14-2013

Hello Gregory

My recommendation for this is to leverage the UDP Syslog packets to a External device so you can save memory on the ASA for different traffic.

Note: You should consider Netflow as it will provide you granularity and also depending on the vendor software they will build reports, etc on their own with the data send to the collector.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

jumora · ‎11-14-2013

The ASA has a logging buffer that by default is short, it is expected that if you are monitoring traffic to or through the ASA you configure a Syslog server since past events are not saved into disk unless specified.

Value our effort and rate the assistance!

Julio Carvajal · ‎11-14-2013

Hello Gregory

My recommendation for this is to leverage the UDP Syslog packets to a External device so you can save memory on the ASA for different traffic.

Note: You should consider Netflow as it will provide you granularity and also depending on the vendor software they will build reports, etc on their own with the data send to the collector.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

gregorysieg · ‎11-18-2013

Thanks guys,

I actually did setup a syslog server thinking that was going to be the ticket but wasn't 100% sure. I will take a look at Netflow options down the road.

gregorysieg · ‎11-22-2013

Guys,

I have a Syslog up and running but am finding I'm not really getting the information I was expecting. I was thinking I would see numerous denied attempts to say port 3389, 23, or other well known ports but really I'm pretty much just seeing alot of "Teardown connections", "Built connections", "Access List permitted", and some randle "Deny TCP (no connection). Now I think the Deny TCP (no connection) may be what I'm looking for but I really expected to see quite a bit more of this type of traffic? I figured I'd pick up some port scanning attempts or something maybe it's there and I just am not viewing it correctly or maybe I'm looking in the wrong place? Maybe I'm just expecting more negative then I should be. Any thoughts?

Thanks,

Greg

Julio Carvajal · ‎11-22-2013

Hello Greg,

So you are not seeing any Deny ACL???

Look for log ID 106023

106023

106023 p

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC