11-28-2012 12:25 PM - edited 03-11-2019 05:29 PM
Hi,
I am trying to generate and SNMP trap for any configuration changes done on a Cisco ASA , however I am not able to achieve that .... Can anyone help me out ?
Regards,
Hesham
Solved! Go to Solution.
11-28-2012 01:08 PM
Hi Hesham,
It depends what kind of information level you want to get.
- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.
- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939
regards,
Pawel
11-28-2012 01:08 PM
Hi Hesham,
It depends what kind of information level you want to get.
- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.
- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939
regards,
Pawel
12-11-2012 03:45 AM
Hello Pawel,
I actually I followed the first document you send me and I am still not recieving any SNMP traps from the ASA to my NMS server. Can you please send me the exact commands to verfiy it on my end.
Regards,
Hesham
12-11-2012 10:40 AM
Hi Hesham,
The way I provided to you is using Syslog messages rather than SNMP traps. Most of NMS has built in syslog server. Configuration sample below:
logging enable
logging buffered informational ! in fact this one was only used to what exactly is being logged - you can omit it
logging trap informational
logging host inside 1.1.1.100
Sample of logs while configuration change is done:
ciscoasa# show logging
(...)
%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
%ASA-5-111008: User 'enable_15' executed the 'interface Ethernet 0/1' command.
%ASA-5-111008: User 'enable_15' executed the 'description DDD' command.
%ASA-5-111005: console end configuration: OK
%ASA-6-302015: Built outbound UDP connection 0 for inside:1.1.1.100/514 (1.1.1.100/514) to NP Identity Ifc:1.1.1.1/514 (1.1.1.1/514)
(...)
captures proving syslog has been sent out to syslog server:
ciscoasa# show capture CAPIN
(...)
19: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514: udp 71
20: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514: udp 80
21: 00:08:34.679316 1.1.1.1.514 > 1.1.1.100.514: udp 50
I hope that helps. If not, just let me know.
regards,
Pawel
02-02-2013 11:17 AM
Thank you Pawel,
Is it possible to use SNMP traps instead since logs are already sent to a syslog server?
I am also not able to receive the syslog message that defines a change has occured!
Regards,
Hesham
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide