Good news in the attachment,

tboneshep · ‎12-18-2014

Here is our current logging on the FWSM--we can see console user names on the syslog report, but it does not show changes being made. Is it possible that whatever ACLS or whatever that are added/deleted can be sent to the syslog server. Current settings:

FWSM-ADRP# show run | i logging
logging enable
logging timestamp
no logging names
logging list admin_logging level informational class config
logging list notif-list level critical
logging list notif-list level warnings class ha
logging list notif-list message 104024-105999
logging buffer-size 1000000
logging console critical
logging monitor warnings
logging buffered informational
logging trap debugging
logging history informational
logging asdm warnings
logging mail emergencies
logging from-address adrp-fwsm@bla-bla.mil
logging recipient-address wayne.a.shepherd@bla-bla.mil level alerts

logging host inside 10.192.10.13

Vibhor Amrodia · ‎12-19-2014

Hi,

I think you need to use the Syslog Messages like :- 111008 and then you would be able to see the changes made by any user on the FWSM corresponding to their usernames.

You can also use some of the other syslog ID's available.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/system/message/fwsm_log/logmsgs.html#wp1280203

Thanks and Regards,

Vibhor Amrodia

tboneshep · ‎12-19-2014

Thanks for the quick response. I added that message, and several others in that range, but when I do a simple shun IP, that is not being displayed in the syslog messages. The syslog shows only I entered/exited config mode, but not changes made like an ACL or shun. Odd thing is, when I add

logging message 111008 level notifications, the console accepts the command, but when I sho run | i

logging message, the message is not showing up as configured?

FWSM-ADRP# sho run | i logging message
logging message 201009 level notifications
logging message 201003 level notifications
logging message 201002 level notifications
logging message 201004 level notifications
logging message 111111 level notifications
logging message 111009 level notifications
logging message 110001 level notifications

Also, I added the following:

FWSM-ADRP(config)# logging list notif-list level notifications class config
FWSM-ADRP(config)# logging class config trap notifications

trap should be going to the syslog server for all messages in this group ( http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg/monitr_f.html#wp1099552 )

config

Command interface

111, 112, 208, 308

Vibhor Amrodia · ‎12-22-2014

Hi,

Can you provide me some outputs of the Syslog messages that you are seeing for that message ID. 111008

Thanks and Regards,

Vibhor Amrodia

tboneshep · ‎01-05-2015

Thanks Vibhor for the reply, sorry for the delay and Happy New Year. When I add

FWSM-ADRP(config)# logging message 111008 level notifications

The FWSM appears to accept the command, but when I show run | i logging message;

the message does not appear to be configured. The local monitor does show this message from the buffer when I immediately execute a command:

FWSM-ADRP# show logging | i 111008
<165>Jan 05 2015 08:17:35: %FWSM-5-111008: User 'shep' executed the 'no shun 10.12.187.160' command.

I went ahead and changed this as follows:

no logging list notif-list message 104024-105999
logging list notif-list level notifications class session
logging list notif-list message 104024-108999

tboneshep · ‎01-05-2015

Good news in the attachment, we can see the logged FWSM message 111008 from our ArcSite Syslog showing that I made a change, but still does NOT indicate what the changes were. Were still looking for the changes made to be displayed on our syslog server.

How to log FWSM admin changes to syslog? Can this be done?