cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10029
Views
20
Helpful
8
Replies

Audit log on cisco ASA firewall.

_Ratha_
Beginner
Beginner

There are several users with administrator role on network devices. sometime configuration change without acknowledgement. I want to know who have been log in and what they have made change.

 

How to monitor this activity on cisco ASA, switch or router?

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

As @balaji.bandi alluded, an Accounting server (the third "A" in AAA) is the answer. An external RADIUS or TACACS+ server (like Cisco ISE) can keep a log of all actions.

 

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

 

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

 

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

View solution in original post

8 Replies 8

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

How is your user authentication setup done, you have ACS or any other mechanism in place for authentication and authorization ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

As @balaji.bandi alluded, an Accounting server (the third "A" in AAA) is the answer. An external RADIUS or TACACS+ server (like Cisco ISE) can keep a log of all actions.

 

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

 

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

 

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

Hello,
if Informational Logs are being forwarded to an external syslog.. then will message ids 111008-111010 will get auto logged to syslog ?

111008 and 111010 are notification (level 5), so yes for those.

111009 is debug (level 7), so no for that one.

(Unless you override the default severity level)

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_8587071

Thanks for the reply..
i am using algosec firewall analyzer and all syslogs from firewalls are being forwarded to it .. i can see the configuration modification (under raw configuration) but the user id is not available .. is there any way the commands being run from a session in ASA can be sent as audit log information ? does asa record user id in raw configuration ? the hide username setting is also disabled.

Can you share the Doc where Event ID's are mapped according to Severity

MSJ1
Beginner
Beginner

Hello Marvin,

 

Based on my below logging config , should this send TRAP for Event ID 111008 to my Event Server ( Cisco Security Manager ) ?

 

Also can you share the Doc where Event ID's are mapped according to Severity

 

logging enable
logging buffer-size 10000
logging buffered debugging

 

logging trap debugging
logging asdm informational

 

logging facility 22

logging host inside CSM_IP

logging message 305011 level debugging
logging message 302015 level debugging
logging message 302016 level debugging

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers