10-14-2013 07:32 AM - edited 03-11-2019 07:52 PM
Hi,
When I connect to the ASA 5510 via ssh session I do not see the following in syslogs
Jun 06 2010 13:03:07: %ASA-6-605005: Login permitted from 10.117.14.66/56023 to 172-net:172.18.254.34/ssh for user "cisco"
Jun 06 2010 13:03:09: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:03:09: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco
All I am seeing once the privelige level is changed is
Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:03:09: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.
And when the session is finished the User logged off.
Please what is required to see the login requests in syslog?
My ASA config is :
logging enabled
logging standby
logging monitor debugging
logging trap notifications
logging asdm informational.
<Many thanks
Colin
Solved! Go to Solution.
10-14-2013 08:28 AM
Hi,
You are issuing in the wrong mode
Issue this first
configure terminal
So it shows
ASA-5512(config)#
Then issue the commands
logging message 605005 level notifications
logging message 113012 level notifications
logging message 113008 level notifications
logging message 611101 level notifications
The above messages change those message IDs logging Level from their default Level to Notifications Level. And since your "trap" configurations is set to use Notifications this will mean that these messages should start to get logged to your server.
I mentioned the Informational logging level first since its one option. The problem with setting that logging level globally is that your Syslog server would start to get A LOT more logs depending on the amount of connections formed through your firewall.
Using the above commands that change the logging level of the 4 Syslog message IDs is the smallest change to achieve what you want.
- Jouni
10-14-2013 07:46 AM
Hi,
All the messages mentioned in the upper section of your post are Level 6 = Informational
Your Syslog Server "trap" has been set to Level 5 = Notifications
So your options could be to change
logging trap informational
Though this would generate a lot of extra logs
You can also change the logging level of the above messages to Level 5 = Notifications with
logging message 605005 level notifications
logging message 113012 level notifications
logging message 113008 level notifications
logging message 611101 level notifications
Which would essentially start sending these to your Syslog Server without changing anything else with regards to logging.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-14-2013 08:23 AM
Hi Jouni,
Thanks for the response. I have tried the following but get an error when trying to make the change.
login as: xxxxxx
xxxxx password:
Type help or '?' for a list of available commands.
ASA-5512> en
Password: *******
ASA-5512# logging message 113012 level notifications
^
ERROR: % Invalid input detected at '^' marker.
ASA-5512#
One question though should these messages be notifications or informational? as you said the messages at the start of the post were informational?
Do I have to be in a different mode to set these loggings?
Thanks
Colin
10-14-2013 08:28 AM
Hi,
You are issuing in the wrong mode
Issue this first
configure terminal
So it shows
ASA-5512(config)#
Then issue the commands
logging message 605005 level notifications
logging message 113012 level notifications
logging message 113008 level notifications
logging message 611101 level notifications
The above messages change those message IDs logging Level from their default Level to Notifications Level. And since your "trap" configurations is set to use Notifications this will mean that these messages should start to get logged to your server.
I mentioned the Informational logging level first since its one option. The problem with setting that logging level globally is that your Syslog server would start to get A LOT more logs depending on the amount of connections formed through your firewall.
Using the above commands that change the logging level of the 4 Syslog message IDs is the smallest change to achieve what you want.
- Jouni
10-14-2013 08:34 AM
Thanks Journi.
All now working as expected. Thansk for the quick response.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide