ASA Logging

  • Post author:
  • Post category:ASA / Cisco

ASA Logging

SYSLOG is a standard for message logging, it allows for separate of messages based on severity level. The following table represents the syslog message severity levels, related to the Cisco ASA.

The Cisco ASA supports logging to multiple locations, including:

  • Internal log buffer
  • External SYSLOG servers
  • ASDM
  • Console Port
  • SSH Session (monitor)
  • Email

This post covers configuration of logging on the Cisco ASA firewall, using internal buffer, ASDM and an external SYSLOG server.

Configuration

As default logging is disabled and must explictly be enabled

logging enable

Configure logging timestamps to include date and time, to allow correlation of logging information.

logging timestamp

It is important that the Cisco ASA has the correct time, as this ensures the timestamps on log messages are correct and accurate throughout the network, which will aid troubleshooting.

Configure the NTP server(s)

ntp server 192.168.10.5 source INSIDE prefer 
ntp server 192.168.10.4 source INISDE

Buffered Logging

Logging to the buffer is recommended over logging to the console or monitor sessions. The default buffer size would need to be increased.

logging buffer-size 20000
logging buffered notifications

To view the log buffer run the command show logging. From the output below we can confirm syslog logging is enabled and buffer logging for notification events. The buffer contains logs from severity level 1 – 5 (notification). Nothing above notification (5) will be logged in the buffer.

ASA-1# show logging

Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Hide Username logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level notifications, 61 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled

External SYSLOG

The ASA logs can be sent to one or more external SYSLOG server, using UDP or TCP (the default is udp if the protocol is not specified).

Configure the SYSLOG server on the INSIDE interface using TCP protocol on port 1514

logging host INSIDE 192.168.10.15 tcp/1514

NOTE – When using TCP and if the SYSLOG server is down, for security reasons, the ASA will block new connections until the SYSLOG server is reachable again.

To enable connections whilst the TCP SYSLOG server is unavailable use the following command:

logging permit-hostdown

The command logging trap <level> defines which logging messages are sent to the external SYSLOG servers.

logging trap informational

Run the command show logging to configure the settings. From the output below, we can confirm logging is being sent to the configured SYSLOG server and a connection established, having transmitted 19 packets. You can also determine the permit-hostdown setting is enabled.

ASA-1# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Hide Username logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level informational, facility 20, 878 messages logged
        Logging to INSIDE 192.168.10.15 tcp/1514 Connected TX:19
            TCP SYSLOG_PKT_LOSS:0
            TCP [Channel Idx/Not Putable counts]: [0/0]
            TCP [Channel Idx/Not Putable counts]: [1/0]
            TCP [Channel Idx/Not Putable counts]: [2/0]
            TCP [Channel Idx/Not Putable counts]: [3/0]

    Global TCP syslog stats::
        NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 192
        CHANNEL_FLAP_CNT: 192, SYSLOG_PKT_LOSS: 0
        PARTIAL_REWRITE_CNT: 0
    Permit-hostdown logging: enabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled

On the SYSLOG server itself we can confirm the messages are received.

Custom Event Lists

Sending all messages of a severity level might be excessive, with a Custom Event List you can specify the level and message ID to log. Multiple lists can be created to send different log messages or severity levels to the different destinations.

Create a Custom Event List to log errors and selected message IDs (710003, 106023 and 106100).

logging list SEND-TO-SYSLOG level errors
logging list SEND-TO-SYSLOG message 710003
logging list SEND-TO-SYSLOG message 106023
logging list SEND-TO-SYSLOG message 106100

The list can then be enabled to send to the destination, in this instance the logs will be sent  to the SYSLOG server.

logging trap SEND-TO-SYSLOG

On the SYSLOG server we can determine the server received log messages for the IDs specified in the custom event list.

ASDM Logging

Logs can also be sent to ASDM and viewed in the Real-Time Log Viewer. As per the other destinations logs can be sent based on severity level or using a custom event list.

Create a custom event list to log Remote Access VPN login, logoff events.

logging list SEND-TO-ASDM message 113012-113019
logging list SEND-TO-ASDM message 737026

Enable the list to send to specified messages to ASDM

logging asdm SEND-TO-ASDM

From ASDM Real-Time Log Viewer we can determine just the specified log messages in the custom list are received in ASDM, in this instance the messages relate to RAVPN events.

Full Configuration

The commands below represent the full logging configuration covered in this post.

logging enable
logging timestamp
logging list SEND-TO-SYSLOG level errors
logging list SEND-TO-SYSLOG message 710003
logging list SEND-TO-SYSLOG message 106023
logging list SEND-TO-SYSLOG message 106100
logging list SEND-TO-ASDM message 113012-113019
logging list SEND-TO-ASDM message 737026
logging buffer-size 21000
logging trap SEND-TO-SYSLOG
logging asdm SEND-TO-ASDM
logging host INSIDE 192.168.10.15 6/1514
logging permit-hostdown

Best Practices

The following list represents Cisco best practices regarding logging on the ASA.

For best security NTP authentication should be configured (if the NTP server supports authentication)

ntp authentication-key 1 md5 <Passphrase>
ntp server 192.168.10.5 key 1
ntp server 192.168.10.4 key 1
ntp authenticate

Disable logging to console sessions and terminal lines (SSH), this ensures the CPU of the ASA is not overloaded. If monitor or console logging is required, enable only when troubleshooting then disable once complete.

no logging monitor
no logging console

Additional Options

The table below represents other additional configurable logging options.

Command Description
no logging message syslog-id Prevent logging of specified syslog message ID.
no logging hide username Show invalid usernames in syslog messages
logging message syslog_id level severity_level Change the severity of a syslog message
logging device-id hostname|context-name Include the ASA device ID in syslog messages
logging rate-limit <rate limit number> <rate limit internal> level|message <value> Rate limit syslog message generation

Reference

Cisco ASA 9.17 configuration guide – https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/monitor-syslog.html
Cisco ASA SYSLOG Messages – https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/about.html

 

 

Tags: