cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
818
Views
40
Helpful
22
Replies
wynneitmgr
Participant

User Login History

We have an ASA 5508 firewall and we use Cisco AnyConnect VPN for remote access for our users. I also use ASDM 7.9 to monitor and setup rules on firewall. I looked through SYSLOG and cannot find where I can see user login history to the VPN. Is there any easy way to do this? Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions

Ok, try this:-

 

no logging mail Config_Changes
logging list Config_Changes message 716001
logging mail Config_Changes

 This will hopefully remove the list, allow you to modify and then re-enable the list.

View solution in original post

22 REPLIES 22
Rob Ingram
VIP Mentor

Hi @wynneitmgr 

The ASA generates a syslog message 716001 when a user logs and 716002 when they logoff.

What have you configured for logging?

 

 

@Rob Ingram 

 

I think just default settings, not sure how to check this. Will the logs show the username and time they logged in? I searched the SYSLOG for 716001 and got no results but I know I have users logging in to AnyConnect. Thanks for the help!

@wynneitmgr 

If you run "show run logging" from the ASA CLI and provide the output for review, we should be able to determine what you've got configured.

@Rob Ingram 

 

Result of the command: "show run logging"

logging enable
logging list Config_Changes level emergencies
logging list Config_Changes message 113019
logging list Config_Changes message 111007-111009
logging list Config_Changes message 113012
logging buffer-size 1048576
logging buffered informational
logging asdm notifications
logging mail Config_Changes
logging from-address administrator@wynnetr.com
logging recipient-address thunter@wynnetr.com level alerts
logging class auth mail alerts

Hi @wynneitmgr 

Add the syslog message I provided in the first response to the config_changes list, similar to the other messages

@Rob Ingram 

 

Can you please show me the steps to this, I am not really sure how to do what you are mentioning.

 

Also, from the output can you tell if the logs will show user logins for the past weekend?

Hi @wynneitmgr 

Try the following to get notifications for login events:-

logging list Config_Changes message 716001

No you won't get old login events, only new login events from the time you configured the command above.

@Rob Ingram 

I get an error when trying to run that command

5484523840c515c07a3c80ade05f8a0d.png

@wynneitmgr 

Sorry not that familar using ASDM, are you able to copy and paste that command when using the CLI? - login to the ASA using ssh application such as putty.

@Rob Ingram 

 

Tried the command in Putty and getting error, looks like it might just be a typo or something not sure. Also, how far back do the logs go, can that be custom set?

asa1.png

@wynneitmgr 

Before you paste those commands, you need to enter configuration mode.

Type the command "conf t" then press enter

You can then paste that command.

@Rob Ingram 

after using "conf t", I still get the error

asa2.png

Ok, try this:-

 

no logging mail Config_Changes
logging list Config_Changes message 716001
logging mail Config_Changes

 This will hopefully remove the list, allow you to modify and then re-enable the list.

View solution in original post

@Rob Ingram 

okay, I ran all 3 commands without any errors. how can I check to see if it is working? thank you!