05-07-2020 01:22 PM
Hi,
This is something that's cropped up on our PCI Audit recently
Currently we have our ASA5516-X setup to output it's syslogs to a monitoring server
logging enable logging trap errors logging asdm informational logging host DMZ1 x.x.x.x logging permit-hostdown logging class auth trap informational logging class vpdn trap informational logging class vpn trap informational logging class vpnc trap informational logging class webvpn trap informational logging message 113005 level errors logging message 611102 level errors logging message 716039 level errors
Now one of the things I've noticed is that SSH based logins to the box generate syslog messages of
113004, 113008, 611101, 605005
according to this link https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/monitor-syslog.html
Anything classed as beginning with 113 is classed as an auth type syslog message
which is fine as these are being generated for ssh logins and captured via
logging class auth trap informational
However with ASDM logins we're only seeing events of type 605005
These however are not classed as auth type messages but System type messages
The way around this we've done for now is just to add
logging message 605005 level errors logging message 605004 level errors
to capture these on the monitoring server
But my question is, should there be 113 style authentication message when logging onto the ASDM / GUI ?
Could this be a bug / oversight / intended behaviour?
Many Thanks,
05-07-2020 04:01 PM
how is your AAA config, external or Local ?
05-08-2020 01:46 AM
For the ssh login it's set for a radius server
for the asdm login it's a local authentication using the local users
aaa-server RADIUS_RSA7.1 protocol radius aaa-server RADIUS_RSA7.1 (DMZ1) host x.x.x.x aaa-server RADIUS_RSA7.1 (DMZ1) host x.x.x.x aaa authentication match DMZ1_authentication DMZ1 RADIUS_RSA7.1 aaa authentication match OUTSIDE_authentication OUTSIDE RADIUS_RSA7.1 aaa authentication ssh console RADIUS_RSA7.1 LOCAL aaa authorization command LOCAL aaa authentication login-history
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide