08-27-2010 07:57 AM - edited 03-11-2019 11:31 AM
Hello All,
I can't seem to get ASA authentication request, or config changes alerts to be forwarded to our syslog server. I'm able to see all normal ASA messages, blocked messages, VPN authenications, etc, but if I fail a login, or make config changes it does not show up in our syslog server. Here is the logging config:
logging enable
logging timestamp
logging list Failover level errors class ha
logging buffered informational
logging trap informational
logging asdm informational
logging from-address reports@company.com
logging recipient-address sjaggers@company.com level critical
logging device-id hostname
logging host inside NAC-Syslog
logging class auth console notifications trap informational asdm notifications
logging class config console notifications trap informational asdm notifications
I've turned up every level I could think of to informational, done multiple google searches and I am at a loss. This is something we have to show for compliance, and is one of my last open issues so any help is greatly appreciated
Thanks,
Shawn
Solved! Go to Solution.
08-27-2010 08:22 AM
Hi Shawn,
Your configuration looks correct to be sending the syslogs. I ran a few quick tests here and these are the specific syslogs you should be on the lookout for.
Configuration Changes
===================
%ASA-5-111008: User 'enable_15' executed the 'class-map test' command.
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769400
This notification level syslog will be issued whenever someone issues a command on the ASA. Note that if you are logging in and then using the enable command the username will always show up as enable_15. Users must use the "login" command and authenticate again to retain their username.
Failed Logins
====================
%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = scott
%ASA-6-611102: User authentication failed: Uname: scott
%ASA-6-611102: User authentication failed: Uname: scott
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576
611102 identifies when an authentication for connections to the ASA fails.
I hope this helps in tracking down those syslogs.
-Scott
08-27-2010 08:22 AM
Hi Shawn,
Your configuration looks correct to be sending the syslogs. I ran a few quick tests here and these are the specific syslogs you should be on the lookout for.
Configuration Changes
===================
%ASA-5-111008: User 'enable_15' executed the 'class-map test' command.
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769400
This notification level syslog will be issued whenever someone issues a command on the ASA. Note that if you are logging in and then using the enable command the username will always show up as enable_15. Users must use the "login" command and authenticate again to retain their username.
Failed Logins
====================
%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = scott
%ASA-6-611102: User authentication failed: Uname: scott
%ASA-6-611102: User authentication failed: Uname: scott
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4774576
611102 identifies when an authentication for connections to the ASA fails.
I hope this helps in tracking down those syslogs.
-Scott
08-27-2010 09:03 AM
Thanks! I guess I wasn't formatting my queries to the syslog server right, our solution is not the most user friendly. I was able to find each of the classes I needed, starting with the 111008 message you specified below. Thanks for the help.
Shawn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide