07-06-2021 09:23 AM
We have an ASA 5508 firewall and we use Cisco AnyConnect VPN for remote access for our users. I also use ASDM 7.9 to monitor and setup rules on firewall. I looked through SYSLOG and cannot find where I can see user login history to the VPN. Is there any easy way to do this? Thank you.
Solved! Go to Solution.
07-08-2021 06:11 AM
Ok, try this:-
no logging mail Config_Changes
logging list Config_Changes message 716001
logging mail Config_Changes
This will hopefully remove the list, allow you to modify and then re-enable the list.
07-06-2021 09:28 AM
Hi @wynneitmgr
The ASA generates a syslog message 716001 when a user logs and 716002 when they logoff.
What have you configured for logging?
07-06-2021 03:13 PM
I think just default settings, not sure how to check this. Will the logs show the username and time they logged in? I searched the SYSLOG for 716001 and got no results but I know I have users logging in to AnyConnect. Thanks for the help!
07-07-2021 12:15 AM
If you run "show run logging" from the ASA CLI and provide the output for review, we should be able to determine what you've got configured.
07-07-2021 03:35 AM
Result of the command: "show run logging"
logging enable
logging list Config_Changes level emergencies
logging list Config_Changes message 113019
logging list Config_Changes message 111007-111009
logging list Config_Changes message 113012
logging buffer-size 1048576
logging buffered informational
logging asdm notifications
logging mail Config_Changes
logging from-address administrator@wynnetr.com
logging recipient-address thunter@wynnetr.com level alerts
logging class auth mail alerts
07-07-2021 05:02 AM
Hi @wynneitmgr
Add the syslog message I provided in the first response to the config_changes list, similar to the other messages
07-07-2021 11:40 AM
Can you please show me the steps to this, I am not really sure how to do what you are mentioning.
Also, from the output can you tell if the logs will show user logins for the past weekend?
07-07-2021 11:44 AM
Hi @wynneitmgr
Try the following to get notifications for login events:-
logging list Config_Changes message 716001
No you won't get old login events, only new login events from the time you configured the command above.
07-08-2021 05:09 AM
07-08-2021 05:18 AM
Sorry not that familar using ASDM, are you able to copy and paste that command when using the CLI? - login to the ASA using ssh application such as putty.
07-08-2021 05:21 AM
Tried the command in Putty and getting error, looks like it might just be a typo or something not sure. Also, how far back do the logs go, can that be custom set?
07-08-2021 06:04 AM
Before you paste those commands, you need to enter configuration mode.
Type the command "conf t" then press enter
You can then paste that command.
07-08-2021 06:07 AM
07-08-2021 06:11 AM
Ok, try this:-
no logging mail Config_Changes
logging list Config_Changes message 716001
logging mail Config_Changes
This will hopefully remove the list, allow you to modify and then re-enable the list.
07-08-2021 06:15 AM
okay, I ran all 3 commands without any errors. how can I check to see if it is working? thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: