- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2011 10:55 AM
I would like to be able to use the syslog messages that come off of the ASA to monitor VPN connection attempts (successful and unsuccessful). Looking at the system messages there are several codes that pertain to this.
I'm wondering if anyone has a good way to use syslog to do this? Are there certain codes that can be used for this information?
Thanks.
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2011 07:08 AM
You can configure the ASA to send syslog messages when the user connects and disconnects. There are a few kinds of "remote access" VPN like IPsec, webvpn/clientless, anyconnect/ssl vpn client that you can track.
If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002. There is a list of other Clientless SSL VPN related messages here. You can view the specific content of each log here:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4776913
If you are using SSL VPN Client (SVC1.x,AnyConnect 2.x) the syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other SSL VPN Client related messages here
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4778697
If you are using IPSec client VPN you can track a successfull connect with 713119 (indicates Phase1 complete), 713049 (indicates Phase2 complete) and disconnect with 113019. There is an additional ipsec syslog 713049 you might want to track for ipsec.
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775412http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539
Here are some other helpful notes to keep in mind:
-You can tell what levels of logging you currently have on the ASA command line with "show log"
-The logs that you send to a syslog server are controled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)
-You can tell what severity level (ie alerts, critical, errors,warnings, notifications, informational, debugging) each of these logs through this link. As youll notice by checking the link, the ones tracking log in or logout as I noted above are usually informational (sev 6)):
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsev
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsevp.html
-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
For example (logging class):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065253
logging class vpnc traf informational
For example (logging list):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065512
logging list mylist message 722022
logging list mylist message 722023
logging trap mylist
Please remember to rate the posts that helped you and to mark the question as resolved if youre question has been answered.
-heather
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2011 11:03 AM
Hi,
There are several syslogs for VPN - for Ipsec Cisco VPN Clien look into thes:
Ipsec phase 1-2 related
Syslog 713120
Syslog 713119
syslog 713049
RA user related
syslog ID: 113015 user authentication Rejected : reason = Invalid password : local database : user =
Syslog: ID 713184 Group = ciscovpn_ra_access, Username =
Syslog: ID 113012 AAA user authentication Successful : local database : user = username
You could watch the ASDM real time log and look at the syslog IDs to spot the ones you want or check the syslog IDs bellow in the link.
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/syslog.html
Hope it helps.
Federico.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2011 06:20 AM
I'd been looking at the doc you referenced and syslog events. I just wanted to know if anyone
had a good list of codes I could look at for this purpose. Your list gives me a good whittled down starting point.
Thanks for the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2011 07:08 AM
You can configure the ASA to send syslog messages when the user connects and disconnects. There are a few kinds of "remote access" VPN like IPsec, webvpn/clientless, anyconnect/ssl vpn client that you can track.
If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002. There is a list of other Clientless SSL VPN related messages here. You can view the specific content of each log here:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4776913
If you are using SSL VPN Client (SVC1.x,AnyConnect 2.x) the syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other SSL VPN Client related messages here
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4778697
If you are using IPSec client VPN you can track a successfull connect with 713119 (indicates Phase1 complete), 713049 (indicates Phase2 complete) and disconnect with 113019. There is an additional ipsec syslog 713049 you might want to track for ipsec.
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775412http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539
Here are some other helpful notes to keep in mind:
-You can tell what levels of logging you currently have on the ASA command line with "show log"
-The logs that you send to a syslog server are controled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)
-You can tell what severity level (ie alerts, critical, errors,warnings, notifications, informational, debugging) each of these logs through this link. As youll notice by checking the link, the ones tracking log in or logout as I noted above are usually informational (sev 6)):
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsev
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsevp.html
-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
For example (logging class):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065253
logging class vpnc traf informational
For example (logging list):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065512
logging list mylist message 722022
logging list mylist message 722023
logging trap mylist
Please remember to rate the posts that helped you and to mark the question as resolved if youre question has been answered.
-heather
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2011 07:39 AM
You guys rock!!! Thanks for helping me out. This information is great and will help me out tremendously.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2020 10:35 AM
