Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2999
Views
5
Helpful
5
Replies

Audit trail in a Cisco ASA

NeWGuy1109
Level 1
Level 1

‎09-30-2019 06:44 AM - edited ‎02-21-2020 09:32 AM

Hello,

As i understand syslog id 111008-111010 can be used as an audit trail to record the changes in Firewalls...

However, does an audit trail corresponds to policy change only ?

Suppose a user runs "permit traffic same security intra-interface" can this command be logged as an audit trail to an external syslog server ? 

1 person had this problem
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎09-30-2019 08:22 AM

you can setup one for the Audit logs to send to syslog as below, all the commands enter by the user will be logged.

or if you have AAA (like ACS, ISE can also audit the same).

 

You can also set the ASA to log all login and command execution actions and send those logs to an external syslog server.

 

logging enable
logging list cmds message 111009

logging trap cmds

logging host inside x.x.x.x

 

You can replace 'inside' with the name of interface where syslog server x.x.x.x resides.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

NeWGuy1109
Level 1
Level 1
In response to balaji.bandi

‎10-01-2019 03:05 AM

i am using Algosec Firewall Analyzer and all the informational syslogs are being forwarded to it ..i can see the commands being run on the ASA but the user id is not available with those commands... Hide username logging is also disabled.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to NeWGuy1109

‎10-01-2019 08:50 AM

can you provide a sample log and you're implemented configure to verify?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

NeWGuy1109
Level 1
Level 1
In response to balaji.bandi

‎10-02-2019 01:26 AM

In ASA , algosec is added as a syslog server and all informational logs are being forwarded to it. I do see policy change notifications in algosec such as NAT change, rule change etc.. but when someone is running commands such as "permit traffic same security inter interface" i cant see the name of the id who executed it... One thing i would like to know is whether there is a particular category of commands which are generated as "Audit Logs" in ASA, is it possible to modify ASA config in such a way that an admin can modify what commands are  captured as Audit logs.

 

0 Helpful

bstewart
Level 1
Level 1
In response to NeWGuy1109

‎03-10-2022 12:43 PM

It looks like if you want to use syslog, there are three messages

111008 - logs the command   (Level 5 - Notification) - excludes "show" commands

111010 - logs the command and user info (Level 5 - Notification) - excludes "show" commands

111009 - logs everything, even "show" (Level 7 - Debugging)

There's also a way to change what level a given message logs at, if I understand somebody else's comment correctly.

 

But the right way to do this is to use the AAA accounting commands (which I'm still looking into how to do; do those only log to your TACACS/RADIUS/etc server or can you also get them over to syslog.)

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card