Solved: Audit log on cisco ASA firewall.

_Ratha_ · ‎09-20-2018

There are several users with administrator role on network devices. sometime configuration change without acknowledgement. I want to know who have been log in and what they have made change.

How to monitor this activity on cisco ASA, switch or router?

Marvin Rhoads · ‎09-21-2018

As @balaji.bandi alluded, an Accounting server (the third "A" in AAA) is the answer. An external RADIUS or TACACS+ server (like Cisco ISE) can keep a log of all actions.

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

View solution in original post

balaji.bandi · ‎09-21-2018

How is your user authentication setup done, you have ACS or any other mechanism in place for authentication and authorization ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎09-21-2018

As @balaji.bandi alluded, an Accounting server (the third "A" in AAA) is the answer. An external RADIUS or TACACS+ server (like Cisco ISE) can keep a log of all actions.

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

NeWGuy1109 · ‎09-30-2019

Hello,
if Informational Logs are being forwarded to an external syslog.. then will message ids 111008-111010 will get auto logged to syslog ?

Marvin Rhoads · ‎09-30-2019

111008 and 111010 are notification (level 5), so yes for those.

111009 is debug (level 7), so no for that one.

(Unless you override the default severity level)

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_8587071

NeWGuy1109 · ‎10-01-2019

Thanks for the reply..
i am using algosec firewall analyzer and all syslogs from firewalls are being forwarded to it .. i can see the configuration modification (under raw configuration) but the user id is not available .. is there any way the commands being run from a session in ASA can be sent as audit log information ? does asa record user id in raw configuration ? the hide username setting is also disabled.

MSJ1 · ‎03-24-2021

Can you share the Doc where Event ID's are mapped according to Severity

balaji.bandi · ‎03-24-2021

below document has this information :

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/messages-listed-by-severity-level.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MSJ1 · ‎03-19-2021

Hello Marvin,

Based on my below logging config , should this send TRAP for Event ID 111008 to my Event Server ( Cisco Security Manager ) ?

Also can you share the Doc where Event ID's are mapped according to Severity

logging enable
logging buffer-size 10000
logging buffered debugging

logging trap debugging
logging asdm informational

logging facility 22

logging host inside CSM_IP

logging message 305011 level debugging
logging message 302015 level debugging
logging message 302016 level debugging