12-18-2014 10:30 AM - edited 03-11-2019 10:14 PM
Here is our current logging on the FWSM--we can see console user names on the syslog report, but it does not show changes being made. Is it possible that whatever ACLS or whatever that are added/deleted can be sent to the syslog server. Current settings:
FWSM-ADRP# show run | i logging
logging enable
logging timestamp
no logging names
logging list admin_logging level informational class config
logging list notif-list level critical
logging list notif-list level warnings class ha
logging list notif-list message 104024-105999
logging buffer-size 1000000
logging console critical
logging monitor warnings
logging buffered informational
logging trap debugging
logging history informational
logging asdm warnings
logging mail emergencies
logging from-address adrp-fwsm@bla-bla.mil
logging recipient-address wayne.a.shepherd@bla-bla.mil level alerts
logging host inside 10.192.10.13
12-19-2014 05:50 AM
Hi,
I think you need to use the Syslog Messages like :- 111008 and then you would be able to see the changes made by any user on the FWSM corresponding to their usernames.
You can also use some of the other syslog ID's available.
Refer:-
http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/system/message/fwsm_log/logmsgs.html#wp1280203
Thanks and Regards,
Vibhor Amrodia
12-19-2014 08:45 AM
Thanks for the quick response. I added that message, and several others in that range, but when I do a simple shun IP, that is not being displayed in the syslog messages. The syslog shows only I entered/exited config mode, but not changes made like an ACL or shun. Odd thing is, when I add
logging message 111008 level notifications, the console accepts the command, but when I sho run | i
logging message, the message is not showing up as configured?
FWSM-ADRP# sho run | i logging message
logging message 201009 level notifications
logging message 201003 level notifications
logging message 201002 level notifications
logging message 201004 level notifications
logging message 111111 level notifications
logging message 111009 level notifications
logging message 110001 level notifications
Also, I added the following:
FWSM-ADRP(config)# logging list notif-list level notifications class config
FWSM-ADRP(config)# logging class config trap notifications
trap should be going to the syslog server for all messages in this group ( http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg/monitr_f.html#wp1099552 )
config | Command interface | 111, 112, 208, 308
|
12-22-2014 10:18 PM
Hi,
Can you provide me some outputs of the Syslog messages that you are seeing for that message ID. 111008
Thanks and Regards,
Vibhor Amrodia
01-05-2015 09:11 AM
Thanks Vibhor for the reply, sorry for the delay and Happy New Year. When I add
FWSM-ADRP(config)# logging message 111008 level notifications
The FWSM appears to accept the command, but when I show run | i logging message;
the message does not appear to be configured. The local monitor does show this message from the buffer when I immediately execute a command:
FWSM-ADRP# show logging | i 111008
<165>Jan 05 2015 08:17:35: %FWSM-5-111008: User 'shep' executed the 'no shun 10.12.187.160' command.
I went ahead and changed this as follows:
no logging list notif-list message 104024-105999
logging list notif-list level notifications class session
logging list notif-list message 104024-108999
01-05-2015 02:07 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide