Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1497
Views
0
Helpful
5
Replies

Cisco ASA 5580

nicwill1970
Level 1
Level 1

‎03-14-2011 02:10 AM - edited ‎03-11-2019 01:06 PM

Does anyone know if it is possible for a Cisco ASA 5580 to create Syslog entries when someone connects via HTTPS or SSH to it. I need to obtain information from Syslog when someone does this.

Thanks

Labels:
0 Helpful
5 Replies 5

mirober2
Cisco Employee
Cisco Employee

‎03-14-2011 06:56 AM

Hi Nicola,

There are a couple of different logs you could look at, but %ASA-6-605005 is probably the best. It will tell you when someone successfully logins to the firewall and give you their client IP and username. Here is an example:

%ASA-6-605005: Login permitted from 192.168.0.10/52475 to inside:192.168.0.254/ssh for user "mirober2"

Here is the syslog guide for this message:
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html#wp4774353

Hope that helps.

-Mike

0 Helpful

nicwill1970
Level 1
Level 1
In response to mirober2

‎03-14-2011 09:06 AM

Hi,

Thanks for that

However, I can see the 605005 on other Cisco firewalls, and see a message similar to

%ASA-6-605005: Login permitted from 192.168.0.10/52475 to inside:192.168.0.254/ssh for user "mirober2

But on the 5580, I don't see this entry in the logs when I login. I was wondering if it was a configuration thing?

Nicola

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to nicwill1970

‎03-14-2011 09:10 AM

Hi Nicola,

You'll need to make sure you have logging enabled at the informational (6) or debugging (7) level to see this log. Also double check to make sure you don't have message 605005 disabled. The syslog messages will be the same on all ASA platforms.

If the configuration looks okay for you, please share the output of 'show run logging'.

-Mike

0 Helpful

nicwill1970
Level 1
Level 1
In response to mirober2

‎03-16-2011 02:23 AM

Hi Mike,

Sorry I wasn't around yesterday.

Logging is enabled and set to notifications.

605005 is enabled and set to 'error' so it should get picked up.

We also have an ASA 5520 which logs to syslog when you log in with SSH, but not when you log in with HTTPS.

This is set to log from debugging upwards, so should pick up everything

I know that both SSH and HTTPS relate to 605005.

We also have an FWSM which is set up the same as the 5580.

This logs both SSH and HTTPS connections.

All very strange!!

But I am new to all this, so may have missed something

Any ideas ??

Thanks

Nicola

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to nicwill1970

‎03-16-2011 06:02 AM

Hi Nicola,

Check the output of both 'show logging queue' and 'show logging | i logging' on the 5580 to make sure no messages are being discarded for some reason. Depending on your logging config and how busy the firewall is, maybe the logs are being dropped.

Also, please post the output of 'show run logging' and let us know what code version the 5580 is running.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card