Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
2
Replies

No auth 113 syslog messages for users logging in via ASDM

support
Level 1
Level 1

‎05-07-2020 01:22 PM

Hi,
This is something that's cropped up on our PCI Audit recently
Currently we have our ASA5516-X setup to output it's syslogs to a monitoring server

logging enable
logging trap errors
logging asdm informational
logging host DMZ1 x.x.x.x
logging permit-hostdown
logging class auth trap informational
logging class vpdn trap informational
logging class vpn trap informational
logging class vpnc trap informational
logging class webvpn trap informational
logging message 113005 level errors
logging message 611102 level errors
logging message 716039 level errors

Now one of the things I've noticed is that SSH based logins to the box generate syslog messages of
113004, 113008, 611101, 605005

according to this link https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/monitor-syslog.html 
Anything classed as beginning with 113 is classed as an auth type syslog message
which is fine as these are being generated for ssh logins and captured via

logging class auth trap informational

However with ASDM logins we're only seeing events of type 605005
These however are not classed as auth type messages but System type messages

The way around this we've done for now is just to add

logging message 605005 level errors
logging message 605004 level errors

to capture these on the monitoring server

 

But my question is, should there be 113 style authentication message when logging onto the ASDM / GUI ?
Could this be a bug / oversight / intended behaviour?

 

Many Thanks,

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎05-07-2020 04:01 PM

how is your AAA config, external or Local ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

support
Level 1
Level 1
In response to balaji.bandi

‎05-08-2020 01:46 AM

For the ssh login it's set for a radius server

for the asdm login it's a local authentication using the local users

aaa-server RADIUS_RSA7.1 protocol radius
aaa-server RADIUS_RSA7.1 (DMZ1) host x.x.x.x
aaa-server RADIUS_RSA7.1 (DMZ1) host x.x.x.x
aaa authentication match DMZ1_authentication DMZ1 RADIUS_RSA7.1
aaa authentication match OUTSIDE_authentication OUTSIDE RADIUS_RSA7.1
aaa authentication ssh console RADIUS_RSA7.1 LOCAL
aaa authorization command LOCAL
aaa authentication login-history

 

 

0 Helpful
Customers Also Viewed These Support Documents