01-14-2014 09:17 AM - edited 03-11-2019 08:29 PM
I want to see what administrative users are logged into a firewall, like "show user" in IOS. I seem to have forgotten how to do this. Or perhaps I never knew. Can anyone provide the CLI command?
Thanks,
-Jeff
Solved! Go to Solution.
01-14-2014 09:46 AM
Hi,
Try the following commands
show ssh sessions
show asdm session
Hope this helps
- Jouni
01-14-2014 09:54 AM
Hi,
On ASA you could run following commands to check the ip's from which some one have logged in to the ASA:
show ssh sessions
To display information about the active SSH sessions on the ASA, use the show ssh sessions command in privileged EXEC mode.
show asdm sessions
To display a list of active ASDM sessions and their associated session IDs, use the
show asdm sessions command in privileged EXEC mode.
who
To display active Telnet administration sessions on the ASA, use the
who command in privileged EXEC mode.
To check through syslogs messages, like on snmp server or syslog server, you have configure following commands:
1 First we have to enable logging on ASA.
logging enable
2 Then we need to setup logging list with the syslog id’s which we want to see in the logging messages.
logging list cmds(name of logging list) message 111008
logging list cmds message 111009
logging list cmds message 111010
logging list cmds message 605005
Here, syslog messages specified above correspond to the following:
111008
Error Message %ASA-5-111008: User user executed the command string
Explanation The user entered any command, with the exception of a show command.
Error Message %ASA-7-111009:User user executed cmd:string
Explanation The user entered a command that does not modify the configuration. This message appears only for show commands.
Error Message %ASA-5-111010: User username, running application-name from IP ip
addr, executed cmd
Explanation A user made a configuration change.
•username—The user making the configuration change
•application-name—The application that the user is running
•ip addr—The IP address of the management station
•cmd—The command that the user has executed
Error Message %ASA-6-605005: Login permitted from source-address/source-port to
interface:destination/service for user "username"
The following form of the message appears when the user logs in to the console:
Login permitted from serial to console for user "username"
Explanation A user was authenticated successfully, and a management session started.
•source-address—Source address of the login attempt
•source-port—Source port of the login attempt
•interface—Destination management interface
•destination—Destination IP address
•service—Destination service
•username—Destination management interface
3. Commands to configure ASA to send logs to syslog server.
- Prateek Verma
01-14-2014 09:46 AM
Hi,
Try the following commands
show ssh sessions
show asdm session
Hope this helps
- Jouni
01-14-2014 09:54 AM
Hi,
On ASA you could run following commands to check the ip's from which some one have logged in to the ASA:
show ssh sessions
To display information about the active SSH sessions on the ASA, use the show ssh sessions command in privileged EXEC mode.
show asdm sessions
To display a list of active ASDM sessions and their associated session IDs, use the
show asdm sessions command in privileged EXEC mode.
who
To display active Telnet administration sessions on the ASA, use the
who command in privileged EXEC mode.
To check through syslogs messages, like on snmp server or syslog server, you have configure following commands:
1 First we have to enable logging on ASA.
logging enable
2 Then we need to setup logging list with the syslog id’s which we want to see in the logging messages.
logging list cmds(name of logging list) message 111008
logging list cmds message 111009
logging list cmds message 111010
logging list cmds message 605005
Here, syslog messages specified above correspond to the following:
111008
Error Message %ASA-5-111008: User user executed the command string
Explanation The user entered any command, with the exception of a show command.
Error Message %ASA-7-111009:User user executed cmd:string
Explanation The user entered a command that does not modify the configuration. This message appears only for show commands.
Error Message %ASA-5-111010: User username, running application-name from IP ip
addr, executed cmd
Explanation A user made a configuration change.
•username—The user making the configuration change
•application-name—The application that the user is running
•ip addr—The IP address of the management station
•cmd—The command that the user has executed
Error Message %ASA-6-605005: Login permitted from source-address/source-port to
interface:destination/service for user "username"
The following form of the message appears when the user logs in to the console:
Login permitted from serial to console for user "username"
Explanation A user was authenticated successfully, and a management session started.
•source-address—Source address of the login attempt
•source-port—Source port of the login attempt
•interface—Destination management interface
•destination—Destination IP address
•service—Destination service
•username—Destination management interface
3. Commands to configure ASA to send logs to syslog server.
- Prateek Verma
01-14-2014 11:25 AM
Thank you for the (very) thorough awnser Prateek! I will make use of that logging list.
-Jeff
01-14-2014 11:24 AM
That's it!
Thanks Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide