Solved: Re: User Login History

wynneitmgr · ‎07-06-2021

We have an ASA 5508 firewall and we use Cisco AnyConnect VPN for remote access for our users. I also use ASDM 7.9 to monitor and setup rules on firewall. I looked through SYSLOG and cannot find where I can see user login history to the VPN. Is there any easy way to do this? Thank you.

Rob Ingram · ‎07-08-2021

Ok, try this:-

no logging mail Config_Changes
logging list Config_Changes message 716001
logging mail Config_Changes

This will hopefully remove the list, allow you to modify and then re-enable the list.

View solution in original post

Rob Ingram · ‎07-06-2021

Hi @wynneitmgr

The ASA generates a syslog message 716001 when a user logs and 716002 when they logoff.

What have you configured for logging?

wynneitmgr · ‎07-06-2021

@Rob Ingram

I think just default settings, not sure how to check this. Will the logs show the username and time they logged in? I searched the SYSLOG for 716001 and got no results but I know I have users logging in to AnyConnect. Thanks for the help!

Rob Ingram · ‎07-07-2021

@wynneitmgr

If you run "show run logging" from the ASA CLI and provide the output for review, we should be able to determine what you've got configured.

wynneitmgr · ‎07-07-2021

@Rob Ingram

Result of the command: "show run logging"

logging enable
logging list Config_Changes level emergencies
logging list Config_Changes message 113019
logging list Config_Changes message 111007-111009
logging list Config_Changes message 113012
logging buffer-size 1048576
logging buffered informational
logging asdm notifications
logging mail Config_Changes
logging from-address administrator@wynnetr.com
logging recipient-address thunter@wynnetr.com level alerts
logging class auth mail alerts

Rob Ingram · ‎07-07-2021

Hi @wynneitmgr

Add the syslog message I provided in the first response to the config_changes list, similar to the other messages

wynneitmgr · ‎07-07-2021

@Rob Ingram

Can you please show me the steps to this, I am not really sure how to do what you are mentioning.

Also, from the output can you tell if the logs will show user logins for the past weekend?

Rob Ingram · ‎07-07-2021

Hi @wynneitmgr

Try the following to get notifications for login events:-

logging list Config_Changes message 716001

No you won't get old login events, only new login events from the time you configured the command above.

wynneitmgr · ‎07-08-2021

@Rob Ingram

I get an error when trying to run that command

Rob Ingram · ‎07-08-2021

@wynneitmgr

Sorry not that familar using ASDM, are you able to copy and paste that command when using the CLI? - login to the ASA using ssh application such as putty.

wynneitmgr · ‎07-08-2021

@Rob Ingram

Tried the command in Putty and getting error, looks like it might just be a typo or something not sure. Also, how far back do the logs go, can that be custom set?

Rob Ingram · ‎07-08-2021

@wynneitmgr

Before you paste those commands, you need to enter configuration mode.

Type the command "conf t" then press enter

You can then paste that command.

wynneitmgr · ‎07-08-2021

@Rob Ingram

after using "conf t", I still get the error

Rob Ingram · ‎07-08-2021

Ok, try this:-

no logging mail Config_Changes
logging list Config_Changes message 716001
logging mail Config_Changes

This will hopefully remove the list, allow you to modify and then re-enable the list.

wynneitmgr · ‎07-08-2021

@Rob Ingram

okay, I ran all 3 commands without any errors. how can I check to see if it is working? thank you!