Altering [Custom] Syslogs on a Cisco ASA 5550

by gorthx

Since last time, I’ve made a couple of additions to my event list, and my custom logging filter now looks like this:

vpn# sh run | include logg
logging enable
logging timestamp
logging list gabs_test level notifications
logging list gabs_test message 713228
logging list gabs_test message 113006
logging list gabs_test message 302010
logging list gabs_test message 113005
logging trap gabs_test
logging asdm informational
logging facility 22
logging host internal [ip]

I’d also like to capture the user’s client, which is specified in this message:
%ASA-6-713184: Group = [group], Username = [user], IP = [internal_ip], Client Type: Linux Client Application Version: whatever

I need to disable the filter anyway while I add the new message, so I’ll just re-write the event list with the messages in numerical order.* I’m also going to do this from the command line, because it is so much faster than going through the ASDM gui:
vpn# config t
vpn(config)# ! disable the logging filter by setting the level
vpn(config)# ! back to notifications while we work
vpn(config)# logging trap notifications
vpn(config)# ! remove the logging filter entirely
vpn(config)# no logging list gabs_test
vpn(config)# ! re-create filter with additional messages
vpn(config)# logging list gabs_test level notifications
vpn(config)# logging list gabs_test message 113005
vpn(config)# logging list gabs_test message 113006
vpn(config)# logging list gabs_test message 302010
vpn(config)# logging list gabs_test message 713184
vpn(config)# logging list gabs_test message 713228
vpn(config)# ! re-enable the filter
vpn(config)# logging trap gabs_test
vpn(config)# exit

make sure it looks right with ‘sh run | include logg’ and save it with ‘write’ or ‘copy run start’.


*Neatness counts, people!

Advertisements
%d bloggers like this: