Solved: Re: Searching logs in ASDM for IP address

mahesh18 · ‎04-15-2013

Hi Everyone,

I need to check logs for user PC IP in asdm.

I am on asdm page that shows real time log viewer.

Under filter by i put user PC IP address and click on filter it shows blank?

Thanks

MAhesh

Jouni Forss · ‎04-15-2013

Hi,

It usually either means that the users connection isnt reaching the ASA

OR

Your firewall ASDM logging level isnt high enough

Usually I have the ASDM logging level as "informational"

If you chech the logging configuration on the CLI you can use the command "show run logging"

And see that "logging asdm informational" is included in the output. If not you will need to add it.

Though you should be able to define it before opening the log window on the ASDM also.

- Jouni

View solution in original post

Jouni Forss · ‎04-15-2013

Hi,

If you have high amount of traffic and not a large buffer configured then it will be pretty hard checking the logs on the SSH connection.

Use ASDM or a separate Syslog server is better in this case.

I would suggest configuring the "logging asdm informational" on the CLI and then checking the situation again on the ASDM logs.

- Jouni

View solution in original post

Julio Carvajal · ‎04-15-2013

Okey,

Do the following

logging buffered debugging

Then clear logging

and finally

show logging | include x.x.x.x

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎04-16-2013

Hi Mahesh,

With the buffer size I meant the setting which defines how much logs the ASA keeps in its buffer which you can check on the CLI.

For example my setting in CLI format is this (Home ASA)

logging buffer-size 8192

This simply states how many bytes of logs is stored in the buffer of the ASA at any given time

ASA(config)# logging buffer-size ?

configure mode commands/options:

<4096-1048576> Specify logging buffer size in bytes

I think there is an own setting for ASDM also but I have never had the need to touch that setting

Regarding the command "show run logging" in the CLI. I too have witnessed that the CLI configuration might have some different logging level than the one shown in the ASDM.

I have never gone into depth with the setting so I cant give you a 100% sure answer at the moment.

I would imagine the setting on the ASDM side refers to some setting that only applies to the ASDM session you have open.

I would also imagine that the setting you see in the CLI with "show run logging" is the setting that is staticly configured to apply always.

Did you check the ASDM logging level on ASDM from the following menu

Configuration (Top Bar) -> Device Management (Bottom Left) -> Logging (Drop Down Menu) -> Logging Filters (Drop Down Menu)

- Jouni

View solution in original post

Jouni Forss · ‎04-15-2013

Hi,

It usually either means that the users connection isnt reaching the ASA

OR

Your firewall ASDM logging level isnt high enough

Usually I have the ASDM logging level as "informational"

If you chech the logging configuration on the CLI you can use the command "show run logging"

And see that "logging asdm informational" is included in the output. If not you will need to add it.

Though you should be able to define it before opening the log window on the ASDM also.

- Jouni

mahesh18 · ‎04-15-2013

Hi Jouni.

I ran the command sh run logging

it shows logging asdm critical.

On ASDM it shows

logging level debugging

Is there command i can check the logs while i am ASA by SSH?

Thanks

MAhesh

Julio Carvajal · ‎04-15-2013

Hello

Logging level debugging you are basically logging everything

While connected via SSH

do a show logging | include x.x.x.x ( the IP address of the host you want to check)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎04-15-2013

Hi Julio,

Did that nothing comes back.

Also can you tell me difference between

when i run command on cli sh run logging

it says logging asdm critical.

When i login to device using asdm it says logging level debugging?

So what is ASDM logging level is it critical or debugging?

Thanks

MAhesh

Julio Carvajal · ‎04-15-2013

Okey,

Do the following

logging buffered debugging

Then clear logging

and finally

show logging | include x.x.x.x

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎04-15-2013

Hi,

If you have high amount of traffic and not a large buffer configured then it will be pretty hard checking the logs on the SSH connection.

Use ASDM or a separate Syslog server is better in this case.

I would suggest configuring the "logging asdm informational" on the CLI and then checking the situation again on the ASDM logs.

- Jouni

mahesh18 · ‎04-16-2013

Hi Jouni,

I was able to check the logs on the syslog server.

I have few questions here

Can you please let me know when you say buffer size does this mean for logging to CLI? or ASDM?

Also can you tell me difference between

when i run command on cli sh run logging

it says logging asdm critical.

When i login to device using asdm it says logging level debugging?

So what is ASDM logging level is it critical or debugging?

Thanks

Mahesh

Jouni Forss · ‎04-16-2013

Hi Mahesh,

With the buffer size I meant the setting which defines how much logs the ASA keeps in its buffer which you can check on the CLI.

For example my setting in CLI format is this (Home ASA)

logging buffer-size 8192

This simply states how many bytes of logs is stored in the buffer of the ASA at any given time

ASA(config)# logging buffer-size ?

configure mode commands/options:

<4096-1048576> Specify logging buffer size in bytes

I think there is an own setting for ASDM also but I have never had the need to touch that setting

Regarding the command "show run logging" in the CLI. I too have witnessed that the CLI configuration might have some different logging level than the one shown in the ASDM.

I have never gone into depth with the setting so I cant give you a 100% sure answer at the moment.

I would imagine the setting on the ASDM side refers to some setting that only applies to the ASDM session you have open.

I would also imagine that the setting you see in the CLI with "show run logging" is the setting that is staticly configured to apply always.

Did you check the ASDM logging level on ASDM from the following menu

Configuration (Top Bar) -> Device Management (Bottom Left) -> Logging (Drop Down Menu) -> Logging Filters (Drop Down Menu)

- Jouni

mahesh18 · ‎04-16-2013

Hi Jouni,

Did you check the ASDM logging level on ASDM from the following menu

Configuration (Top Bar) -> Device Management (Bottom Left) -> Logging (Drop Down Menu) -> Logging Filters (Drop Down Menu)

Yes i check this way.

Logging setup shows

Also when i click on logging i see on ASDM logging is enabled.

Logging to internal buffer

Buffer size is 4098

ASDM logging shows

QUEUE SIZE shows 100

seems 100 is quite small.

Thanks a lot for answering the questions.

Best regards

Mahesh

Message was edited by: mahesh parmar

jerryroy777 · ‎04-03-2020

So there is absolutely no way to search logs in the GUI for a particular IP?

Marvin Rhoads · ‎04-03-2020

@jerryroy777 this thread is 7 years old.

Yes you can absolutely search the logs in the ASDM GUI for a specific endpoint IP address. However if the traffic isn't reaching the ASA in the first place you may not get any results in your search.

If I search in the ASDM Realtime log viewer and don't find what I think should be there, the next level of troubleshooting is to do a packet capture and look for the raw packets incoming. (Assuming I've confirmed my logging level is correct and that there are no logging filters in place)