Configuring [Custom] Syslogs on a Cisco ASA 5550

by gorthx

Configuring logging on a Cisco ASA 5550 isn’t too tricky, but I found the docs lacking in examples, so figured I’d post mine.

Using the Cisco ASDM, the parameters you need to modify are in the Configuration -> Device Management -> Logging hierarchy. (I’m sorry there aren’t any pictures to go with this; hopefully you can follow along via the breadcrumbs in the ASDM.)

1. First, enable logging:
Configuration -> Device Management -> Logging -> Logging Setup
Make sure the “Enable Logging” box is checked.

2. Specify parameters for the destination server:
Configuration -> Device Management -> Logging -> Syslog Servers
Click “Add”.
Select the source interface (probably “internal”).
Enter the IP address of the server.
Select an appropriate protocol & port (UDP and 514 are the defaults).

3. Configure your logging facility:
Configuration -> Device Management -> Logging -> Syslog Setup
Choose your facility (0-7). Because I have one central server that handles all my logging, I usually set this to something special to allow me to split out the messages into different log files. (This is a configuration parameter in /etc/syslog.conf and is covered in another post.)

4. Configure the severity level you want to log:
Configuration -> Device Management -> Logging -> Logging Filters
Select “Syslog Servers” and click “Edit”.
Filter on Server -> Notifications (logging level 5 – you’ll get every message between Emergency and Notification levels, inclusive.)

Verify that you are receiving messages on the syslog server. You can stop here if this is all you want.

We, however, decided that we wanted to include these messages:
%ASA-6-713228: Group = [group], Username = [user], IP = [external_ip], Assigned private IP address [internal_ip] to remote user
…but these are “informational” messages (note the “6” in the second message field). So we tried bumping up our logging level, and were promptly overwhelmed with a lot of other stuff we didn’t want to read. (Informational level is chatty.) What we really want is to log at the Notification level, but also include messages with ID 713228.

Tip: don’t rely on the syslog message reference (or on this post, for that matter) to tell you which messages you might want to log – look at your own logs. The message texts in the logs won’t necessarily match those in the docs.

There are a couple of ways to configure custom logging of this type:

1. Simplest:
Configuration -> Device Management -> Logging -> Syslog Setup
Find the message ID (713228 in our case) in the “Syslog ID Setup” window.
Select the message ID, click “Edit” and change the level to “Notifications”.
Click “OK” to finish.

Apply and save your changes.

Here’s what Option #1 looks like from the cli:
vpn# sh run | include logging
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging facility 22
logging host internal [ip]
logging message 713228 level notifications

(Logging facility 22 corresponds to local6; see http://en.wikipedia.org/wiki/Syslog)

OR

2. More complex:
Configuration -> Device Management -> Logging -> Event Lists
Click “Add”.
Give it a name (no spaces), eg gabs_test.

Configure the base event class and/or severity:
Under “Event Class/Severity Filters”, click “Add”.
Leave “Event Class” set to “All”*; select “Notifications” under “Severity”; click “OK”.

*Apparently the first three numbers of the message are associated with the event class, but I was unable to find a reference doc that specified which were which. That doesn’t matter here because we want all Notifications, regardless of event class.

Then add the additional specific message ID we’re interested in:
Under “Message ID Filters”, click “Add”, then enter the message ID (again, 713228); click “OK”.

Click “OK” one more time to save your new Event List.

Now apply the Event List you just created to the appropriate destination (syslogs, in our case):
Configuration -> Device Management -> Logging -> Logging Filters
Select “Syslog Servers” and click “Edit”.
Check the “Use Event List” button, select your list, and click “OK”. Notice that the event list now appears in the “All Event Classes” field.

Apply and save your changes.

Here’s what Option #2 looks like from the cli:
vpn# sh run | include logging
logging enable
logging timestamp
logging list gabs_test level notifications
logging list gabs_test message 713228
logging trap gabs_test
logging asdm informational
logging facility 22
logging host internal [ip]

Why would you select one method over the other? Method #1 is certainly easier, but it does require you to remember that you’ve altered the default behavior. Method #2 is a bit more complicated to set up, but it’s more obvious that you’re doing something special due to the “Event list” keyword in the Logging Filters page, so that’s the method I ultimately chose.

Tip: You can’t rename or copy a filter (boo!) so choose your name carefully.

Tip: You also can’t edit a filter while it’s in use – you need to remove it from the destination under “Logging Filters”, apply/save, edit the filter, apply/save, re-enable it for the destination, and apply/save.

Obviously, there is a lot more you could do with this, by creating different custom filters and then applying them to different email destinations. I’ll save that for the next rainy weekend.

Reference: http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/monitor_syslog.html

Advertisements
Tags: ,

2 Responses to “Configuring [Custom] Syslogs on a Cisco ASA 5550”

  1. Thanks, your article gave me some clues about how to setup the logging.

Trackbacks

%d bloggers like this: