06-06-2010 02:55 AM - edited 03-11-2019 10:55 AM
Hi guys,
Just wanted to know how to configure the asa with email alerts for successful login to asa using telnet or asdm.
Thanks,
Jvalin
Solved! Go to Solution.
06-06-2010 04:11 AM
Jvalin,
I assume you have everything but logging component configured.
How about creating a logging list of interesting syslogs and sending them?
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772936
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773126
Messages indexed:
https://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html
maybe:
Marcin
06-06-2010 06:39 AM
I don't see logging list assigned to logging mail.
logging mail list NAME_OF_LIST
06-06-2010 04:11 AM
Jvalin,
I assume you have everything but logging component configured.
How about creating a logging list of interesting syslogs and sending them?
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772936
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1773126
Messages indexed:
https://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html
maybe:
Marcin
06-06-2010 04:38 AM
Marcin,
Thanks for the links,I checked all those but still the mails are not working
what I did in ASDM is
1) setup the SMTP server - "internal ip address of ther mail-server"
2)configured "send from email address"
3) configured "send to email address"
4) configured "event-list" --> event-class as auth and severity - alert
"event-list --> event-class as config and severity - alert
5) configured "logging filters and in the email section i gave the event-list as the severity
Any thing else am I forgetting?
Regards,
Jvalin
06-06-2010 04:56 AM
Jvalin,
Can you rather show the CLI config? No access to ASDM on my side.
-------
show run logg
show run smtp-s (or maybe show run smtp?)
--------
Marcin
06-06-2010 05:21 AM
I remember an earlier thread that I answered a while ago. It ended up being the e-mail server not accepting e-mails from the firewall's IP address.
Pls. make sure the e-mail server is configured to accept e-mail from the firewall's IP address.
Wireshark capture on the e-mail server will be useful as well.
Just move one of the normal messages like 111008 to level 1 for testing purpose only and issue a "write mem" that should trigger an e-mail to be sent.
loggin message 111008 level 1
Once the test is done you can remove the above line.
-KS
06-06-2010 05:41 AM
logging enable
logging timestamp
logging list email-for-login level emergencies class auth
logging list email-for-login level emergencies class config
logging list email-for-login message 111008
logging history informational
logging asdm informational
logging recipient-address xxxx@abc.com
level emergencies
logging facility 23
logging debug-trace
logging class auth mail alerts
logging class config mail alerts
logging message 111008 level alerts
Is this ok guys??
06-06-2010 05:47 AM
Yes that appears correct. You have the smtp-server configured right?
comand - smtp-server
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1507977
-KS
06-06-2010 05:50 AM
asa5510# sh run smtp-server
smtp-server 192.168.102.50asa5510#06-06-2010 06:39 AM
I don't see logging list assigned to logging mail.
logging mail list NAME_OF_LIST
06-06-2010 06:44 AM
logging enable
logging timestamp
logging list email-for-login level alerts class auth
logging list email-for-login level alerts class config
logging list email-for-login message 111008
logging history informational
logging asdm informational
logging mail email-for-login----------------------------------------->>>i gave it afterwards
logging from-address abc@xxx.com
logging recipient-address abc@xxx.com level alerts
logging facility 23
logging debug-trace
logging class auth mail alerts
logging class config mail alerts
logging message 111008 level alerts
Its working now guys Thanks to both of you.
06-06-2010 06:51 AM
Guys,
By configuring these commands,
I am getting alerts only when anybody configures using ASDM,
but not by command line.
Any ideas greatly appreciated.
Regards,
Jvalin
06-06-2010 07:31 AM
710002 would the message you're looking forward when someone logs in. I'd have to dig in a bit more to see what ASDM puts in syslogs. Or you can check it by monitoring logging to other facilities.
06-06-2010 10:58 AM
Are you looking for these messages?
When you ssh to the unit you see the following:
Jun 06 2010 13:03:07: %ASA-6-605005: Login permitted from 10.117.14.66/56023 to 172-net:172.18.254.34/ssh for user "cisco"
Jun 06 2010 13:03:09: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:03:09: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:03:09: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:03:09: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:03:09: %ASA-5-111008: User 'cisco' executed the 'enable' command.
When you telnet to the unit you see the following.
Jun 06 2010 13:04:16: %ASA-6-605005: Login permitted from 192.168.2.2/1308 to inside:192.168.2.1/telnet for user ""
Jun 06 2010 13:04:20: %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
Jun 06 2010 13:04:20: %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
Jun 06 2010 13:04:20: %ASA-6-611101: User authentication succeeded: Uname: cisco
Jun 06 2010 13:04:20: %ASA-5-502103: User priv level changed: Uname: cisco From: 1 To: 15
Jun 06 2010 13:04:20: %ASA-5-111008: User 'enable_1' executed the 'enable' command.
Both ssh and telnet log the same syslog messages. Which ever message you are interested in just add them to the mail list.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide