Re: How to find log from CSM for users tried with Wrong Password/Uname

MSJ1 · ‎08-05-2021

Hello,

How to find log from CSM for users tried with Wrong Password/Uname.

Is there way to find the usernames from Cisco Security Manager for those failed to authenticate in ASA for AnyConnect VPN ?

What Event ID need to be will be responsible for this to log ?

Rob Ingram · ‎08-05-2021

@MSJ1

Try this syslog message:- 109006

Error Message%ASA-6-109006: Authentication failed for user user from inside_address/inside_port to outside_address/outside_port on interface interface_name.

Explanation The specified authentication request failed, possibly because of an incorrect password. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4769484

MSJ1 · ‎08-05-2021

Hello , @Rob Ingram

When I look at CSM and I filter with 109006 , it does not show me anything .

Rob Ingram · ‎08-05-2021

@MSJ1

Is the ASA even configured to send those syslog events to CSM?

MSJ1 · ‎08-06-2021

Hello @Rob Ingram

I have below configured in ASA to send to CSM

logging enable
logging buffer-size 100000
logging buffered debugging
logging trap debugging
logging asdm informational

logging host Inside CSM_IP

logging class auth console debugging
logging class webvpn console debugging
logging class svc console debugging
logging class ssl console debugging

MSJ1 · ‎08-10-2021

Hello @Rob Ingram

Can you suggest based on my last comment ?