01-19-2022 01:06 AM
Hello!
Problem:
When connecting users via VPN and using the ISE as a radius server, DACLs are applied.
This generates a message to the ASA which is sent to the syslog server:
%ASA-5-111008: User 'aaa-acl' executed the 'access-list #ACSACL#***' command.
Is there any way to hide only messages/lines with the user "aaa-all"?
01-19-2022 01:31 AM
@alina.sidorova you are best off configuring a list of syslog message IDs you do want to send to the SYSLOG server.
01-19-2022 01:46 AM
Hello, Rob!
The problem is that I want to send messages with id 111008, but only those that don't contain aaa-acl.
01-19-2022 02:05 AM
@alina.sidorova possibly not that from the ASA, that message is variable.
Error Message %ASA-5-111008: User user executed the command string
Explanation The user entered any command, with the exception of a show command.
Recommended Action None required.
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_8587071
Perhaps whatever SYSLOG system you have can filter messages with "aaa-acl" in?
01-19-2022 02:09 AM
This option is possible, but we are concerned about possible overload, given the large infrastructure.
Thanks for the answer!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide