cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Logging VPN events on Cisco IOS and ASA

18195
Views
10
Helpful
1
Comments

System logging is a method of collecting messages from devices to a server or  local on the device (logging buffer)

 

ASA VPN Logging

Logging class commands help us to segregate the specific logs we want to trap , they could be sent to the ASDM , Console , buffered , monitor , or to an external server.

Logging timestamp: Add a timestamp  on the logs.

Logging class ca: Useful for certificate authentication problems on Site-to-Site and Anyconnect.

Logging class csd: Logs the events  related to the Cisco Secure Desktop and Hostscan.

Logging class DAP: Logs the events related to the Dynamic Access Policy for the VPN client.

Logging class svc: Logs events related  to Anyconnect connections.
    
Logging class vpdn: Logs events related to PPTP and L2TP.

Logging class vpn: Logs events related to the isakmp and ipsec process.

Logging class vpnc: Logs events related to the VPN IPSEC client.

Logging class vpnfo: Logs events related to the VPN in a failover environment.

Logging class vpnlb: Logs events related to the VPN in a load balance environment.

Logging class webfo: Logs events related to the webvpn in a failover environment.

Logging class webvpn: Logs events related to the webvpn process.

Logging class auth: Useful to check the AAA logs  of the VPN clients.


Example of the use of the command:

ciscoasa(config)# logging class csd asdm  ?

configure mode commands/options:
  <0-7>          Enter syslog level (0 - 7)
  alerts         Immediate action needed           (severity=1)
  critical       Critical conditions               (severity=2)
  debugging      Debugging messages                (severity=7)
  emergencies    System is unusable                (severity=0)
  errors         Error conditions                  (severity=3)
  informational  Informational messages            (severity=6)
  notifications  Normal but significant conditions (severity=5)
  warnings       Warning conditions                (severity=4)


Router VPN logging:

service timestamps debug datetime msec: Add a timestamp in microseconds to the debugs


service timestamps log datetime msec: Add a timestamp in microseconds to the logs.

Logging dmvpn:  Logs events related to  DMVPN .

Crypto logging ezvpn: Logs events related to the EZVPN connections.

Crypto logging  ikev2:  Logs events related to the IKEV2 sessions.

Crypto logging session: Logs events related to up/down  status of the ipsec tunnels.

 

If you need more information on the router you can enable the following debugs:

 

  •         debug crypto isakmp
  •         debug crypto isakmp error
  •         debug crypto isakmp ha          
  •         debug crypto ipsec      
  •         debug crypto ipsec error         
  •         debug crypto routing       
  •         debug crypto ha        
  •         debug crypto engine error      
  •         debug crypto engine packet

 

Hope it helps

- Randy -

Comments
alvanorichie
Beginner

I am having issues with consistent field extraction using the cisco:asa sourcetype. The fields are very inconsistently parsed, many times making 4 or 5 events out of a single event, even separating a line in the middle of a word.

I am currently accepting syslog for these devices using rsyslog, and I am monitoring the file generated for the specific device on the local filesystem. I am running version 3.2.0 of the Splunk Add-on for Cisco ASA. I am running version 3.0.3 of Cisco Security Suite. Am I missing something? VPN is Express

Create
Recognize Your Peers
Content for Community-Ad