cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

AnyConnect Syslog Configuration Example

2883
Views
10
Helpful
0
Comments

This article is intended to be a simple example of configuring AnyConnect relevant syslog messages to be sent from the ASA to a Syslog server.  The syslog server in this example is Spunk but almost any syslog server should be do the job.   The Syslog ID's used in this example are just a set I felt were sufficient for this article,  however you can view the extensive list of syslog messages available and customize to best fit your environment. 

 

 
The following are the syslogs configured in an event list on the ASA and tied to the Splunk instance.  A view in Splunk of the specific message is also shown
 
 The ASDM configuration is shown later as well as a captioned video demo. 
 

734001

Error Message %ASA-6-734001: DAP: User user, Addr ipaddr , Connection connection : The following DAP records were selected for this connection: DAP record names

Explanation The DAP records that were selected for the connection are listed.

user —The authenticated username
ipaddr —The IP address of the remote client
connection —The type of client connection, which can be one of the following:

- IPsec

- AnyConnect

- Clientless (web browser)

- Cut-Through-Proxy

- L2TP

DAP record names —The comma-separated list of the DAP record names
Recommended Action None required.
 734001.jpg
 

725007

Error Message %ASA-6-725007: SSL session with peer-type interface :src-ip /src-port to dst-ip /dst-port terminated.

Explanation The SSL session has terminated.

peer-type—Either the server or the client, depending on the device that initiated the connection
interface—The interface name that the SSL session is using
source-ip—The source IPv4 or IPv6 address
src-port—The source port number
dst-ip —The destination IP address
dst-port —The destination port number
Recommended Action None required
 
725007.jpg

746012

Error Message %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reason

Explanation A new user-IP mapping has been added to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reason is VPN user. The failure reasons include the following: Maximum user limit reached and Duplicated address.

Recommended Action None required.
 
746012.jpg
 
 

722051

Error Message %ASA-6-722051: Group group-policy User username IP public-ip IPv4 Address assigned-ip IPv6 Address assigned-ip assigned to session

Explanation The specified address has been assigned to the given user.

group-policy —The group policy that allowed the user to gain access
username —The name of the user
public-ip —The public IP address of the connected client
assigned-ip —The IPv4 or IPv6 address that is assigned to the client
Recommended Action None required.
 
722051.jpg
 

746013

Error Message %ASA-5-746013: user-identity: Delete IP-User mapping IP Address - domain_name \user_name result - reason

Explanation A change has been made to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reasons include the following: Inactive timeout, NetBIOS probing failed, PIP notification, VPN user logout, Cut-through-proxy user logout, and MAC address mismatch. The failure reason is PIP notification.

Recommended Action None required.

 

746013.jpg

 

113019-1.jpg

 

113019-2.jpg

ASDM Configuration

Note: For detailed configuration guidance please refer to the guides below.

ASA Configuration Guide 

ASDM Configuration Guide

 

  1. Define the Syslog Server

a   Configuration > Device Management > Logging > Syslog Servers

 

asdm-1.jpg

 

2.  Syslog Setup

a. Configuration > Device Management > Logging > Syslog Setup

Choose a system log facility for syslog servers to use as a basis to file messages. The default is LOCAL(4)20, which is what most UNIX systems expect. However, because your network devices share eight available facilities, you might need to change this value for system logs.  Source:  ASDM Online Help.

 

Note:  In this example. LOCAL1(17) is being used. 

asdm-2.jpg

 

3.  Create and Event List

a. Configuration > Device Management > Logging > Event Lists

 

asdm-3.jpg

 

4. Add the Event List to the Logging filter for Syslog

a. Configuration > Device Management > Logging > Logging Filters

 

 

asdm-4.jpg

 

 

DEMO