cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1337
Views
5
Helpful
5
Replies

ASA Logging

mudasir05
Level 1
Level 1

Dear All,

 

I have an ASA 5545 on which i have enabled logging,however i am not able to see logs when i take ssh session of the ASA.

However on ASDM I am able to view logs.

 

Thanks

1 Accepted Solution

Accepted Solutions

Hi there,

The 'sh logging' command shows us the state of the ASA logging configuration.

'sh logging asdm'  shows us the the contents of the asdm log buffer since last clear/ reboot.

What more of the logs do you need to see?

Perhaps you want to look at configuring a syslog server which will make trawling though the logs easier, or better still a SIEM create correlation rules?

View solution in original post

5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

What is the output of:

sh logging

My guess is that running:

sh logging asdm

...will show you what you're after.

cheers,

Seb.

Hi Seb,

ciscoasa# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: enabled
Console logging: level alerts, 6 messages logged
Monitor logging: level alerts, 1549817102 messages logged
Buffer logging: level alerts, 0 messages logged
Trap logging: level informational, facility 20, 1775677694 messages logged
Permit-hostdown logging: disabled
History logging: level alerts, 6 messages logged
Device ID: disabled
Mail logging: list Failover, class auth, 0 messages logged
ASDM logging: level informational, 1775677695 messages logged

=====

ciscoasa# sh logging asdm
6|Dec 08 2015 12:57:18|302013: Built outbound TCP connection 945703559 for Public:54.239.38.163/443 (54.239.38.163/443) to DMZ:192.168.3.16/34519 (10.10.10.16/34519)
6|Dec 08 2015 12:57:18|106015: Deny TCP (no connection) from 93.168.134.38/2242 to 10.10.10.16/443 flags RST on interface Public
6|Dec 08 2015 12:57:18|302014: Teardown TCP connection 945701986 for Public:93.169.169.149/1060 to DMZ:192.168.3.16/443 duration 0:00:10 bytes 11147 TCP FINs
6|Dec 08 2015 12:57:18|302013: Built inbound TCP connection 945703561 for Public:188.49.206.189/55008 (188.49.206.189/55008) to DMZ:192.168.3.17/443 (10.10.10.17/443)
6|Dec 08 2015 12:57:18|302013: Built inbound TCP connection 945703562 for Public:176.16.88.81/54617 (176.16.88.81/54617) to DMZ:192.168.3.17/443 (10.10.10.17/443)
6|Dec 08 2015 12:57:18|106015: Deny TCP (no connection) from 37.40.4.30/1857 to 10.10.10.17/443 flags RST ACK on interface Public
6|Dec 08 2015 12:57:18|302014: Teardown TCP connection 945703500 for Public:54.243.31.226/46367 to DMZ:192.168.3.16/80 duration 0:00:00 bytes 1307 TCP FINs
6|Dec 08 2015 12:57:18|302013: Built inbound TCP connection 945703564 for Public:188.135.42.99/45658 (188.135.42.99/45658) to DMZ:192.168.3.17/443 (10.10.10.17/443)
6|Dec 08 2015 12:57:18|106015: Deny TCP (no connection) from 82.178.195.102/52868 to 10.10.10.16/443 flags FIN ACK on interface Public
6|Dec 08 2015 12:57:18|302013: Built inbound TCP connection 945703566 for Public:95.185.59.232/1188 (95.185.59.232/1188) to DMZ:192.168.3.16/443 (10.10.10.16/443)
6|Dec 08 2015 12:57:18|302013: Built outbound TCP connection 945703567 for DMZ:192.168.3.45/80 (192.168.3.45/80) to inside:192.168.5.2/38446 (192.168.5.2/38446)
5|Dec 08 2015 12:57:18|304001: 192.168.5.2 Accessed URL 192.168.3.45:http://192.168.3.45/api/external
6|Dec 08 2015 12:57:18|302013: Built inbound TCP connection 945703568 for Public:77.218.231.130/1292 (77.218.231.130/1292) to DMZ:192.168.3.17/443 (10.10.10.17/443)
6|Dec 08 2015 12:57:18|302014: Teardown TCP connection 945687578 for Public:5.110.96.146/52305 to DMZ:192.168.3.16/443 duration 0:01:48 bytes 9623 TCP Reset-O
6|Dec 08 2015 12:57:18|302016: Teardown UDP connection 945703545 for Public:8.8.8.8/53 to DMZ:192.168.3.17/53240 duration 0:00:00 bytes 279
6|Dec 08 2015 12:57:18|302014: Teardown TCP connection 945681108 for Public:93.169.206.200/1043 to DMZ:192.168.3.17/443 duration 0:02:31 bytes 8845 TCP Reset-O
6|Dec 08 2015 12:57:18|302013: Built outbound TCP connection 945703569 for Public:54.239.38.163/443 (54.239.38.163/443) to DMZ:192.168.3.17/49393 (10.10.10.17/49393)
6|Dec 08 2015 12:57:18|302013: Built inbound TCP connection 945703570 for Public:77.31.28.115/55589 (77.31.28.115/55589) to DMZ:192.168.3.17/443 (10.10.10.17/443)
6|Dec 08 2015 12:57:18|106015: Deny TCP (no connection) from 93.169.206.200/1043 to 10.10.10.17/443 flags RST on interface Public
6|Dec 08 2015 12:57:18|106015: Deny TCP (no connection) from 93.169.206.200/1043 to 10.10.10.17/443 flags RST on interface Public
6|Dec 08 2015 12:57:18|302013: Built outbound TCP connection 945703573 for DMZ:192.168.3.45/80 (192.168.3.45/80) to inside:192.168.5.2/52333 (192.168.5.2/52333)
6|Dec 08 2015 12:57:18|302021: Teardown ICMP connection for faddr 128.234.71.151/0 gaddr 10.10.10.17/0 laddr 192.168.3.17/0

what i need to do to see the logs under "sh logging"?

Hi there,

The 'sh logging' command shows us the state of the ASA logging configuration.

'sh logging asdm'  shows us the the contents of the asdm log buffer since last clear/ reboot.

What more of the logs do you need to see?

Perhaps you want to look at configuring a syslog server which will make trawling though the logs easier, or better still a SIEM create correlation rules?

Rishabh Seth
Level 7
Level 7

Hi Mudasir,

Adding to Seb's comment, refer following link to enable monitoring on ssh session:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/monitor.html#wp1065023

Thanks,

Rishabh Seth

PS: Rate if it helps and mark answer as correct if it resolves your issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: