This article is intended to be a simple example of configuring AnyConnect relevant syslog messages to be sent from the ASA to a Syslog server. The syslog server in this example is Spunk but almost any syslog server should be do the job. The Syslog ID's used in this example are just a set I felt were sufficient for this article, however you can view the extensive list of syslog messages available and customize to best fit your environment.
734001
Error Message %ASA-6-734001: DAP: User user, Addr ipaddr , Connection connection : The following DAP records were selected for this connection: DAP record names
Explanation The DAP records that were selected for the connection are listed.
- IPsec
- AnyConnect
- Clientless (web browser)
- Cut-Through-Proxy
- L2TP
725007
Error Message %ASA-6-725007: SSL session with peer-type interface :src-ip /src-port to dst-ip /dst-port terminated.
Explanation The SSL session has terminated.
746012
Error Message %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reason
Explanation A new user-IP mapping has been added to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reason is VPN user. The failure reasons include the following: Maximum user limit reached and Duplicated address.
Recommended Action None required.722051
Error Message %ASA-6-722051: Group group-policy User username IP public-ip IPv4 Address assigned-ip IPv6 Address assigned-ip assigned to session
Explanation The specified address has been assigned to the given user.
746013
Error Message %ASA-5-746013: user-identity: Delete IP-User mapping IP Address - domain_name \user_name result - reason
Explanation A change has been made to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reasons include the following: Inactive timeout, NetBIOS probing failed, PIP notification, VPN user logout, Cut-through-proxy user logout, and MAC address mismatch. The failure reason is PIP notification.
Recommended Action None required.
Note: For detailed configuration guidance please refer to the guides below.
a Configuration > Device Management > Logging > Syslog Servers
2. Syslog Setup
a. Configuration > Device Management > Logging > Syslog Setup
Choose a system log facility for syslog servers to use as a basis to file messages. The default is LOCAL(4)20, which is what most UNIX systems expect. However, because your network devices share eight available facilities, you might need to change this value for system logs. Source: ASDM Online Help.
Note: In this example. LOCAL1(17) is being used.
3. Create and Event List
a. Configuration > Device Management > Logging > Event Lists
4. Add the Event List to the Logging filter for Syslog
a. Configuration > Device Management > Logging > Logging Filters